An update for rubygem-activerecord is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1133 Final 1.0 1.0 2023-03-01 Initial 2023-03-01 2023-03-01 openEuler SA Tool V1.0 2023-03-01 rubygem-activerecord security update An update for rubygem-activerecord is now available for openEuler-22.03-LTS-SP1. Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. Security Fix(es): A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.(CVE-2022-44566) A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.(CVE-2023-22794) An update for rubygem-activerecord is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High rubygem-activerecord https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1133 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-44566 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-22794 https://nvd.nist.gov/vuln/detail/CVE-2022-44566 https://nvd.nist.gov/vuln/detail/CVE-2023-22794 openEuler-22.03-LTS-SP1 rubygem-activerecord-doc-6.1.4.1-2.oe2203sp1.noarch.rpm rubygem-activerecord-6.1.4.1-2.oe2203sp1.noarch.rpm rubygem-activerecord-6.1.4.1-2.oe2203sp1.src.rpm A denial of service vulnerability present in ActiveRecord s PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service. 2023-03-01 CVE-2022-44566 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H rubygem-activerecord security update 2023-03-01 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1133 A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment. 2023-03-01 CVE-2023-22794 openEuler-22.03-LTS-SP1 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H rubygem-activerecord security update 2023-03-01 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1133