Hello community, here is the log from the commit of package rubygem-activerecord-3_2.1541 for openSUSE:12.2:Update checked in at 2013-04-10 22:41:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/rubygem-activerecord-3_2.1541 (Old) and /work/SRC/openSUSE:12.2:Update/.rubygem-activerecord-3_2.1541.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activerecord-3_2.1541", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.rubygem-activerecord-3_2.1541.new/rubygem-activerecord-3_2.changes 2013-04-10 22:41:46.000000000 +0200 @@ -0,0 +1,113 @@ +------------------------------------------------------------------- +Tue Apr 2 11:56:25 UTC 2013 - jmassaguer...@suse.com + +- add patch to fix security issue: + - bug-809932_3-2-attribute_symbols.patch: + fix CVE-2013-1854: rubygem-activerecord*: Symbol DoS vulnerability + in Active Record (bnc#809932) + +------------------------------------------------------------------- +Wed Feb 13 23:32:43 UTC 2013 - mrueck...@suse.de + +- update to version 3.2.12 (bnc#803336) CVE-2013-0276: + - Quote numeric values being compared to non-numeric columns. + Otherwise, in some database, the string column values will be + coerced to a numeric allowing 0, 0.0 or false to match any + string starting with a non-digit. + +------------------------------------------------------------------- +Thu Jan 17 11:50:02 UTC 2013 - mrueck...@suse.de + +- update to 3.2.11: (bnc#796712, bnc#797449, bnc#797452) + * Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155] + * CVE-2012-5664 options hashes should only be extracted if there + are extra parameters +- additional changes from 3.2.10, 3.2.9 and 3.2.8 + The list is too long. Please see + /usr/lib*/ruby/gems/1.*/gems/actionpack-3.2.11/CHANGELOG.md + +------------------------------------------------------------------- +Thu Aug 2 15:18:55 UTC 2012 - mrueck...@suse.de + +- update to 3.2.7 + * `:finder_sql` and `:counter_sql` options on collection + associations are deprecated. Please transition to using scopes. + *Jon Leighton* + * `:insert_sql` and `:delete_sql` options on + `has_and_belongs_to_many` associations are deprecated. Please + transition to using `has_many :through` *Jon Leighton* + * `composed_of` has been deprecated. You'll have to write your + own accessor and mutator methods if you'd like to use value + objects to represent some portion of your models. + *Steve Klabnik* + * `update_attribute` has been deprecated. Use `update_column` if + you want to bypass mass-assignment protection, validations, + callbacks, and touching of updated_at. Otherwise please use + `update_attributes`. *Steve Klabnik* +- additional changes from 3.2.6 + * protect against the nesting of hashes changing the table + context in the next call to build_from_hash. This fix covers + this case as well. CVE-2012-2695 + * Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). + This change introduced a regression (GH #6609). assoc.clear and + assoc.delete_all have loaded the association before doing the + delete since at least Rails 2.3. Doing the delete without + loading the records means that the `before_remove` and + `after_remove` callbacks do not get invoked. Therefore, this + change was less a fix a more an optimisation, which should only + have gone into master. *Jon Leighton* +- additional changes from 3.2.5 + * Restore behavior of Active Record 3.2.3 scopes. A series of + commits relating to preloading and scopes caused a regression. + *Andrew White* +- additional changes from 3.2.4 + * Perf fix: Don't load the records when doing assoc.delete_all. + GH #6289. *Jon Leighton* + * Association preloading shouldn't be affected by the current + scoping. This could cause infinite recursion and potentially + other problems. See GH #5667. *Jon Leighton* + * Datetime attributes are forced to be changed. GH #3965 + * Fix attribute casting. GH #5549 + * Fix #5667. Preloading should ignore scoping. + * Predicate builder should not recurse for determining where + columns. Thanks to Ben Murphy for reporting this! + CVE-2012-2661 + +------------------------------------------------------------------- +Mon Apr 23 09:42:29 UTC 2012 - sasc...@suse.de + +- Explicitly require rubygem-activemodel-3_2 and rubygem-activesupport-3_2 + instead of rubygem-activemodel and rubygem-activemodel to fix + 'have choice' errors + +------------------------------------------------------------------- +Wed Apr 4 15:46:10 UTC 2012 - co...@suse.com + +- update to 3.2.3 + * Added find_or_create_by_{attribute}! dynamic method. *Andrew + White* + * Whitelist all attribute assignment by default. + * Update ActiveRecord::AttributeMethods#attribute_present? to + return false for empty strings. *Jacobkg* + * Fix associations when using per class databases. *larskanis* + * Revert setting NOT NULL constraints in add_timestamps *fxn* + * Fix mysql to use proper text types. Fixes #3931. *kennyj* + * Fix #5069 - Protect foreign key from mass assignment through + association builder. *byroot* + +------------------------------------------------------------------- +Fri Jan 27 01:08:32 UTC 2012 - mrueck...@suse.de + +- update to 3.2.1 + * The threshold for auto EXPLAIN is ignored if there's no logger. + *fxn* + * Call `to_s` on the value passed to `table_name=`, in particular + symbols are supported (regression). *Sergey Nartimov* + * Fix possible race condition when two threads try to define + attribute methods for the same class. *Jon Leighton* + +------------------------------------------------------------------- +Thu Jan 26 16:49:22 UTC 2012 - mrueck...@suse.de + +- initial package of the 3.2 branch + New: ---- activerecord-3.2.12.gem bug-809932_3-2-attribute_symbols.patch rubygem-activerecord-3_2.changes rubygem-activerecord-3_2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-activerecord-3_2.spec ++++++ # # spec file for package rubygem-activerecord-3_2 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-activerecord-3_2 Version: 3.2.12 Release: 0 %define mod_name activerecord %define mod_full_name %{mod_name}-%{version} # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: rubygems_with_buildroot_patch %rubygems_requires Provides: rubygem-%{mod_name} = %{version}-%{release} Provides: rubygem-%{mod_name}-3 = %{version}-%{release} Requires: ruby >= 1.8.7 BuildRequires: ruby-devel >= 1.8.7 # activesupport = 3.2.3 BuildRequires: rubygem-activesupport-3_2 = 3.2.12 Requires: rubygem-activesupport-3_2 = 3.2.12 # activemodel = 3.2.3 BuildRequires: rubygem-activemodel-3_2 = 3.2.12 Requires: rubygem-activemodel-3_2 = 3.2.12 # arel ~> 3.0.2 BuildRequires: rubygem-arel-3_0 >= 3.0.2 Requires: rubygem-arel-3_0 >= 3.0.2 # tzinfo ~> 0.3.29 BuildRequires: rubygem-tzinfo-0_3 >= 0.3.29 Requires: rubygem-tzinfo-0_3 >= 0.3.29 # Url: http://www.rubyonrails.org Source: %{mod_full_name}.gem Source1: bug-809932_3-2-attribute_symbols.patch # Summary: Object-relational mapper framework (part of Rails) License: MIT Group: Development/Languages/Ruby %description Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %prep %build %install %gem_install %{S:0} pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version} patch -p2 < %{S:1} popd %clean %{__rm} -rf %{buildroot} %files %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %changelog ++++++ bug-809932_3-2-attribute_symbols.patch ++++++ diff --git a/activerecord/lib/active_record/relation.rb b/activerecord/lib/active_record/relation.rb index 4b3b30d..ae1a575 100644 --- a/activerecord/lib/active_record/relation.rb +++ b/activerecord/lib/active_record/relation.rb @@ -464,7 +464,7 @@ module ActiveRecord node.left.relation.name == table_name } - Hash[equalities.map { |where| [where.left.name, where.right] }] + Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access end def scope_for_create diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index b31fdfd..413b81c 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -20,7 +20,7 @@ module ActiveRecord table = Arel::Table.new(table_name, engine) end - attribute = table[column.to_sym] + attribute = table[column] case value when ActiveRecord::Relation -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org