Hello community,
here is the log from the commit of package rubygem-activerecord-3_2.1541 for
openSUSE:12.2:Update checked in at 2013-04-10 22:41:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/rubygem-activerecord-3_2.1541 (Old)
and /work/SRC/openSUSE:12.2:Update/.rubygem-activerecord-3_2.1541.new
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activerecord-3_2.1541", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-04-05 00:01:41.916011506 +0200
+++
/work/SRC/openSUSE:12.2:Update/.rubygem-activerecord-3_2.1541.new/rubygem-activerecord-3_2.changes
2013-04-10 22:41:46.000000000 +0200
@@ -0,0 +1,113 @@
+-------------------------------------------------------------------
+Tue Apr 2 11:56:25 UTC 2013 - jmassaguer...@suse.com
+
+- add patch to fix security issue:
+ - bug-809932_3-2-attribute_symbols.patch:
+ fix CVE-2013-1854: rubygem-activerecord*: Symbol DoS vulnerability
+ in Active Record (bnc#809932)
+
+-------------------------------------------------------------------
+Wed Feb 13 23:32:43 UTC 2013 - mrueck...@suse.de
+
+- update to version 3.2.12 (bnc#803336) CVE-2013-0276:
+ - Quote numeric values being compared to non-numeric columns.
+ Otherwise, in some database, the string column values will be
+ coerced to a numeric allowing 0, 0.0 or false to match any
+ string starting with a non-digit.
+
+-------------------------------------------------------------------
+Thu Jan 17 11:50:02 UTC 2013 - mrueck...@suse.de
+
+- update to 3.2.11: (bnc#796712, bnc#797449, bnc#797452)
+ * Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155]
+ * CVE-2012-5664 options hashes should only be extracted if there
+ are extra parameters
+- additional changes from 3.2.10, 3.2.9 and 3.2.8
+ The list is too long. Please see
+ /usr/lib*/ruby/gems/1.*/gems/actionpack-3.2.11/CHANGELOG.md
+
+-------------------------------------------------------------------
+Thu Aug 2 15:18:55 UTC 2012 - mrueck...@suse.de
+
+- update to 3.2.7
+ * `:finder_sql` and `:counter_sql` options on collection
+ associations are deprecated. Please transition to using scopes.
+ *Jon Leighton*
+ * `:insert_sql` and `:delete_sql` options on
+ `has_and_belongs_to_many` associations are deprecated. Please
+ transition to using `has_many :through` *Jon Leighton*
+ * `composed_of` has been deprecated. You'll have to write your
+ own accessor and mutator methods if you'd like to use value
+ objects to represent some portion of your models.
+ *Steve Klabnik*
+ * `update_attribute` has been deprecated. Use `update_column` if
+ you want to bypass mass-assignment protection, validations,
+ callbacks, and touching of updated_at. Otherwise please use
+ `update_attributes`. *Steve Klabnik*
+- additional changes from 3.2.6
+ * protect against the nesting of hashes changing the table
+ context in the next call to build_from_hash. This fix covers
+ this case as well. CVE-2012-2695
+ * Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289).
+ This change introduced a regression (GH #6609). assoc.clear and
+ assoc.delete_all have loaded the association before doing the
+ delete since at least Rails 2.3. Doing the delete without
+ loading the records means that the `before_remove` and
+ `after_remove` callbacks do not get invoked. Therefore, this
+ change was less a fix a more an optimisation, which should only
+ have gone into master. *Jon Leighton*
+- additional changes from 3.2.5
+ * Restore behavior of Active Record 3.2.3 scopes. A series of
+ commits relating to preloading and scopes caused a regression.
+ *Andrew White*
+- additional changes from 3.2.4
+ * Perf fix: Don't load the records when doing assoc.delete_all.
+ GH #6289. *Jon Leighton*
+ * Association preloading shouldn't be affected by the current
+ scoping. This could cause infinite recursion and potentially
+ other problems. See GH #5667. *Jon Leighton*
+ * Datetime attributes are forced to be changed. GH #3965
+ * Fix attribute casting. GH #5549
+ * Fix #5667. Preloading should ignore scoping.
+ * Predicate builder should not recurse for determining where
+ columns. Thanks to Ben Murphy for reporting this!
+ CVE-2012-2661
+
+-------------------------------------------------------------------
+Mon Apr 23 09:42:29 UTC 2012 - sasc...@suse.de
+
+- Explicitly require rubygem-activemodel-3_2 and rubygem-activesupport-3_2
+ instead of rubygem-activemodel and rubygem-activemodel to fix
+ 'have choice' errors
+
+-------------------------------------------------------------------
+Wed Apr 4 15:46:10 UTC 2012 - co...@suse.com
+
+- update to 3.2.3
+ * Added find_or_create_by_{attribute}! dynamic method. *Andrew
+ White*
+ * Whitelist all attribute assignment by default.
+ * Update ActiveRecord::AttributeMethods#attribute_present? to
+ return false for empty strings. *Jacobkg*
+ * Fix associations when using per class databases. *larskanis*
+ * Revert setting NOT NULL constraints in add_timestamps *fxn*
+ * Fix mysql to use proper text types. Fixes #3931. *kennyj*
+ * Fix #5069 - Protect foreign key from mass assignment through
+ association builder. *byroot*
+
+-------------------------------------------------------------------
+Fri Jan 27 01:08:32 UTC 2012 - mrueck...@suse.de
+
+- update to 3.2.1
+ * The threshold for auto EXPLAIN is ignored if there's no logger.
+ *fxn*
+ * Call `to_s` on the value passed to `table_name=`, in particular
+ symbols are supported (regression). *Sergey Nartimov*
+ * Fix possible race condition when two threads try to define
+ attribute methods for the same class. *Jon Leighton*
+
+-------------------------------------------------------------------
+Thu Jan 26 16:49:22 UTC 2012 - mrueck...@suse.de
+
+- initial package of the 3.2 branch
+
New:
----
activerecord-3.2.12.gem
bug-809932_3-2-attribute_symbols.patch
rubygem-activerecord-3_2.changes
rubygem-activerecord-3_2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activerecord-3_2.spec ++++++
#
# spec file for package rubygem-activerecord-3_2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: rubygem-activerecord-3_2
Version: 3.2.12
Release: 0
%define mod_name activerecord
%define mod_full_name %{mod_name}-%{version}
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: rubygems_with_buildroot_patch
%rubygems_requires
Provides: rubygem-%{mod_name} = %{version}-%{release}
Provides: rubygem-%{mod_name}-3 = %{version}-%{release}
Requires: ruby >= 1.8.7
BuildRequires: ruby-devel >= 1.8.7
# activesupport = 3.2.3
BuildRequires: rubygem-activesupport-3_2 = 3.2.12
Requires: rubygem-activesupport-3_2 = 3.2.12
# activemodel = 3.2.3
BuildRequires: rubygem-activemodel-3_2 = 3.2.12
Requires: rubygem-activemodel-3_2 = 3.2.12
# arel ~> 3.0.2
BuildRequires: rubygem-arel-3_0 >= 3.0.2
Requires: rubygem-arel-3_0 >= 3.0.2
# tzinfo ~> 0.3.29
BuildRequires: rubygem-tzinfo-0_3 >= 0.3.29
Requires: rubygem-tzinfo-0_3 >= 0.3.29
#
Url: http://www.rubyonrails.org
Source: %{mod_full_name}.gem
Source1: bug-809932_3-2-attribute_symbols.patch
#
Summary: Object-relational mapper framework (part of Rails)
License: MIT
Group: Development/Languages/Ruby
%description
Databases on Rails. Build a persistent domain model by mapping database tables
to Ruby classes. Strong conventions for associations, validations,
aggregations, migrations, and testing come baked-in.
%package doc
Summary: RDoc documentation for %{mod_name}
Group: Development/Languages/Ruby
Requires: %{name} = %{version}
%description doc
Documentation generated at gem installation time.
Usually in RDoc and RI formats.
%prep
%build
%install
%gem_install %{S:0}
pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}
patch -p2 < %{S:1}
popd
%clean
%{__rm} -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem
%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/
%{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec
%files doc
%defattr(-,root,root,-)
%doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/
%changelog
++++++ bug-809932_3-2-attribute_symbols.patch ++++++
diff --git a/activerecord/lib/active_record/relation.rb
b/activerecord/lib/active_record/relation.rb
index 4b3b30d..ae1a575 100644
--- a/activerecord/lib/active_record/relation.rb
+++ b/activerecord/lib/active_record/relation.rb
@@ -464,7 +464,7 @@ module ActiveRecord
node.left.relation.name == table_name
}
- Hash[equalities.map { |where| [where.left.name, where.right] }]
+ Hash[equalities.map { |where| [where.left.name, where.right]
}].with_indifferent_access
end
def scope_for_create
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb
b/activerecord/lib/active_record/relation/predicate_builder.rb
index b31fdfd..413b81c 100644
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -20,7 +20,7 @@ module ActiveRecord
table = Arel::Table.new(table_name, engine)
end
- attribute = table[column.to_sym]
+ attribute = table[column]
case value
when ActiveRecord::Relation
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
