Hello community, here is the log from the commit of package rubygem-activesupport-5.2 for openSUSE:Factory checked in at 2020-10-05 19:29:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-activesupport-5.2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-activesupport-5.2.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activesupport-5.2" Mon Oct 5 19:29:32 2020 rev:10 rq:838017 version:5.2.4.4 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-activesupport-5.2/rubygem-activesupport-5.2.changes 2020-05-11 13:38:52.076804922 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-activesupport-5.2.new.4249/rubygem-activesupport-5.2.changes 2020-10-05 19:29:38.088514445 +0200 @@ -1,0 +2,18 @@ +Fri Sep 25 13:24:20 UTC 2020 - Stephan Kulow <co...@suse.com> + +updated to version 5.2.4.4 + see installed CHANGELOG.md + + ## Rails 5.2.4.4 (September 09, 2020) ## + + * No changes. + + + ## Rails 5.2.4.3 (May 18, 2020) ## + + * [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore + + * [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore + + +------------------------------------------------------------------- Old: ---- activesupport-5.2.4.2.gem New: ---- activesupport-5.2.4.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-activesupport-5.2.spec ++++++ --- /var/tmp/diff_new_pack.WenxGT/_old 2020-10-05 19:29:39.808516105 +0200 +++ /var/tmp/diff_new_pack.WenxGT/_new 2020-10-05 19:29:39.812516110 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-activesupport-5.2 -Version: 5.2.4.2 +Version: 5.2.4.4 Release: 0 %define mod_name activesupport %define mod_full_name %{mod_name}-%{version} ++++++ activesupport-5.2.4.2.gem -> activesupport-5.2.4.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2020-03-19 17:30:13.000000000 +0100 +++ new/CHANGELOG.md 2020-09-09 20:34:59.000000000 +0200 @@ -1,3 +1,14 @@ +## Rails 5.2.4.4 (September 09, 2020) ## + +* No changes. + + +## Rails 5.2.4.3 (May 18, 2020) ## + +* [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore + +* [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore + ## Rails 5.2.4.1 (December 18, 2019) ## * No changes. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/active_support/cache/mem_cache_store.rb new/lib/active_support/cache/mem_cache_store.rb --- old/lib/active_support/cache/mem_cache_store.rb 2020-03-19 17:30:13.000000000 +0100 +++ new/lib/active_support/cache/mem_cache_store.rb 2020-09-09 20:34:59.000000000 +0200 @@ -7,7 +7,6 @@ raise e end -require "active_support/core_ext/marshal" require "active_support/core_ext/array/extract_options" module ActiveSupport @@ -28,14 +27,6 @@ # Provide support for raw values in the local cache strategy. module LocalCacheWithRaw # :nodoc: private - def read_entry(key, options) - entry = super - if options[:raw] && local_cache && entry - entry = deserialize_entry(entry.value) - end - entry - end - def write_entry(key, entry, options) if options[:raw] && local_cache raw_entry = Entry.new(entry.value.to_s) @@ -189,9 +180,8 @@ key end - def deserialize_entry(raw_value) - if raw_value - entry = Marshal.load(raw_value) rescue raw_value + def deserialize_entry(entry) + if entry entry.is_a?(Entry) ? entry : Entry.new(entry) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/active_support/cache/redis_cache_store.rb new/lib/active_support/cache/redis_cache_store.rb --- old/lib/active_support/cache/redis_cache_store.rb 2020-03-19 17:30:13.000000000 +0100 +++ new/lib/active_support/cache/redis_cache_store.rb 2020-09-09 20:34:59.000000000 +0200 @@ -70,14 +70,6 @@ # Support raw values in the local cache strategy. module LocalCacheWithRaw # :nodoc: private - def read_entry(key, options) - entry = super - if options[:raw] && local_cache && entry - entry = deserialize_entry(entry.value) - end - entry - end - def write_entry(key, entry, options) if options[:raw] && local_cache raw_entry = Entry.new(serialize_entry(entry, raw: true)) @@ -328,7 +320,8 @@ # Read an entry from the cache. def read_entry(key, options = nil) failsafe :read_entry do - deserialize_entry redis.with { |c| c.get(key) } + raw = options&.fetch(:raw, false) + deserialize_entry(redis.with { |c| c.get(key) }, raw: raw) end end @@ -343,6 +336,7 @@ def read_multi_mget(*names) options = names.extract_options! options = merged_options(options) + raw = options&.fetch(:raw, false) keys = names.map { |name| normalize_key(name, options) } @@ -352,7 +346,7 @@ names.zip(values).each_with_object({}) do |(name, value), results| if value - entry = deserialize_entry(value) + entry = deserialize_entry(value, raw: raw) unless entry.nil? || entry.expired? || entry.mismatched?(normalize_version(name, options)) results[name] = entry.value end @@ -421,9 +415,20 @@ end end - def deserialize_entry(serialized_entry) + def deserialize_entry(serialized_entry, raw:) if serialized_entry entry = Marshal.load(serialized_entry) rescue serialized_entry + + written_raw = serialized_entry.equal?(entry) + if raw != written_raw + ActiveSupport::Deprecation.warn(<<-MSG.squish) + Using a different value for the raw option when reading and writing + to a cache key is deprecated for :redis_cache_store and Rails 6.0 + will stop automatically detecting the format when reading to avoid + marshal loading untrusted raw strings. + MSG + end + entry.is_a?(Entry) ? entry : Entry.new(entry) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/active_support/gem_version.rb new/lib/active_support/gem_version.rb --- old/lib/active_support/gem_version.rb 2020-03-19 17:30:13.000000000 +0100 +++ new/lib/active_support/gem_version.rb 2020-09-09 20:34:59.000000000 +0200 @@ -10,7 +10,7 @@ MAJOR = 5 MINOR = 2 TINY = 4 - PRE = "2" + PRE = "4" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-03-19 17:30:13.000000000 +0100 +++ new/metadata 2020-09-09 20:34:59.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: activesupport version: !ruby/object:Gem::Version - version: 5.2.4.2 + version: 5.2.4.4 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] -date: 2020-03-19 00:00:00.000000000 Z +date: 2020-09-09 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: i18n @@ -333,8 +333,8 @@ licenses: - MIT metadata: - source_code_uri: https://github.com/rails/rails/tree/v5.2.4.2/activesupport - changelog_uri: https://github.com/rails/rails/blob/v5.2.4.2/activesupport/CHANGELOG.md + source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/activesupport + changelog_uri: https://github.com/rails/rails/blob/v5.2.4.4/activesupport/CHANGELOG.md post_install_message: rdoc_options: - "--encoding" @@ -352,7 +352,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.0.3 +rubygems_version: 3.1.2 signing_key: specification_version: 4 summary: A toolkit of support libraries and Ruby core extensions extracted from the