Security update for rubygem-activerecord-5_1 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:3634-1 Final 1 1 2021-11-09T09:51:26Z current 2021-11-09T09:51:26Z 2021-11-09T09:51:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-activerecord-5_1 This update for rubygem-activerecord-5_1 fixes the following issues: - CVE-2021-22880: Fixed possible DoS vector in PostgreSQL money type (bsc#1182169). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-3634 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DSBBYVVTCKLFKYMF7OEIC2G2QUWN6ERM/ E-Mail link for openSUSE-SU-2021:3634-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182169 SUSE Bug 1182169 https://www.suse.com/security/cve/CVE-2021-22880/ SUSE CVE CVE-2021-22880 page openSUSE Leap 15.3 ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 as a component of openSUSE Leap 15.3 The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. CVE-2021-22880 openSUSE Leap 15.3:ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DSBBYVVTCKLFKYMF7OEIC2G2QUWN6ERM/ https://www.suse.com/security/cve/CVE-2021-22880.html CVE-2021-22880 https://bugzilla.suse.com/1182169 SUSE Bug 1182169 https://bugzilla.suse.com/1188335 SUSE Bug 1188335