------------------------------------------------------------------- Tue Mar 26 15:41:46 UTC 2013 - jmassaguerpla@suse.com - fix CVE-2013-1854: rubygem-activerecord*: Symbol DoS vulnerability in Active Record (bnc#809932) ------------------------------------------------------------------- Thu Feb 14 09:50:59 UTC 2013 - mrueckert@suse.de - update to version 3.2.12 (bnc#803336) CVE-2013-0276: - Quote numeric values being compared to non-numeric columns. Otherwise, in some database, the string column values will be coerced to a numeric allowing 0, 0.0 or false to match any string starting with a non-digit. ------------------------------------------------------------------- Wed Jan 9 10:03:31 UTC 2013 - jreidinger@suse.com - update to 3.2.11 * Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155] ------------------------------------------------------------------- Thu Jan 3 13:07:37 UTC 2013 - jreidinger@suse.com - update to 3.2.10 * CVE-2012-5664 options hashes should only be extracted if there are extra parameters ------------------------------------------------------------------- Thu Nov 15 17:01:23 UTC 2012 - jreidinger@suse.com - update to 3.2.9 * Fix issue with collection associations calling first(n)/last(n) and attempting to set the inverse association when :inverse_of was used. Fixes #8087. * Do not set RAILS_ENV to "development" when using db:test:prepare and related rake tasks. This was causing the truncation of the development database data when using RSpec. Fixes #7175. * Fix bug when Column is trying to type cast boolean values to integer. Fixes #8067. * Synchronize around deleting from the reserved connections hash. * PostgreSQL adapter correctly fetches default values when using multiple schemas and domains in a db. Fixes #7914 * The postgres adapter now supports tables with capital letters. * Fix reset_counters crashing on has_many :through associations. * for remaining see Changelog.md ------------------------------------------------------------------- Fri Jul 27 12:55:06 UTC 2012 - coolo@suse.com - update to 3.2.7 * `:finder_sql` and `:counter_sql` options on collection associations are deprecated. Please transition to using scopes. * `:insert_sql` and `:delete_sql` options on `has_and_belongs_to_many` associations are deprecated. Please transition to using `has_many :through` * `composed_of` has been deprecated. You'll have to write your own accessor and mutator methods if you'd like to use value objects to represent some portion of your models. * `update_attribute` has been deprecated. Use `update_column` if you want to bypass mass-assignment protection, validations, callbacks, and touching of updated_at. Otherwise please use `update_attributes`. ------------------------------------------------------------------- Fri Jun 29 10:26:02 UTC 2012 - coolo@suse.com - update to 3.2.6 * protect against the nesting of hashes changing the table context in the next call to build_from_hash. This fix covers this case as well. CVE-2012-2695 * Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). This change introduced a regression (GH #6609). assoc.clear and assoc.delete_all have loaded the association before doing the delete since at least Rails 2.3. Doing the delete without loading the records means that the `before_remove` and `after_remove` callbacks do not get invoked. Therefore, this change was less a fix a more an optimisation, which should only have gone into master. * Restore behavior of Active Record 3.2.3 scopes. A series of commits relating to preloading and scopes caused a regression. * Perf fix: Don't load the records when doing assoc.delete_all. GH #6289. *Jon Leighton* * Association preloading shouldn't be affected by the current scoping. This could cause infinite recursion and potentially other problems. See GH #5667. *Jon Leighton* * Datetime attributes are forced to be changed. GH #3965 * Fix attribute casting. GH #5549 * Fix #5667. Preloading should ignore scoping. * Predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this! CVE-2012-2661 ------------------------------------------------------------------- Mon Apr 23 09:42:29 UTC 2012 - saschpe@suse.de - Explicitly require rubygem-activemodel-3_2 and rubygem-activesupport-3_2 instead of rubygem-activemodel and rubygem-activemodel to fix 'have choice' errors ------------------------------------------------------------------- Wed Apr 4 15:46:10 UTC 2012 - coolo@suse.com - update to 3.2.3 * Added find_or_create_by_{attribute}! dynamic method. *Andrew White* * Whitelist all attribute assignment by default. * Update ActiveRecord::AttributeMethods#attribute_present? to return false for empty strings. *Jacobkg* * Fix associations when using per class databases. *larskanis* * Revert setting NOT NULL constraints in add_timestamps *fxn* * Fix mysql to use proper text types. Fixes #3931. *kennyj* * Fix #5069 - Protect foreign key from mass assignment through association builder. *byroot* ------------------------------------------------------------------- Fri Jan 27 01:08:32 UTC 2012 - mrueckert@suse.de - update to 3.2.1 * The threshold for auto EXPLAIN is ignored if there's no logger. *fxn* * Call `to_s` on the value passed to `table_name=`, in particular symbols are supported (regression). *Sergey Nartimov* * Fix possible race condition when two threads try to define attribute methods for the same class. *Jon Leighton* ------------------------------------------------------------------- Thu Jan 26 16:49:22 UTC 2012 - mrueckert@suse.de - initial package of the 3.2 branch