ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10343-1 Final 1 1 2026-03-13T00:00:00Z current 2026-03-13T00:00:00Z 2026-03-13T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 on GA media These are all security issues fixed in the ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10343 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-54133/ SUSE CVE CVE-2024-54133 page https://www.suse.com/security/cve/CVE-2025-55193/ SUSE CVE CVE-2025-55193 page openSUSE Tumbleweed ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 as a component of openSUSE Tumbleweed Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. CVE-2024-54133 openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-54133.html CVE-2024-54133 https://bugzilla.suse.com/1234365 SUSE Bug 1234365 Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1. CVE-2025-55193 openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55193.html CVE-2025-55193 https://bugzilla.suse.com/1248099 SUSE Bug 1248099