GHSA/SYNC: 1 brand new rails-related advisory

[jasnow]

GHSA/SYNC: 1 brand new rails-related advisory
* gems/activestorage/CVE-2026-33658.yml

[eraffel-MDSol]

I don't think this is right. It's saying 8.0.5 is not patched

[eraffel-MDSol]

@jasnow https://rubyonrails.org/2026/3/24/Rails-Versions-8-0-5-and-8-1-3-have-been-released
8.0.5 and 8.1.3 are also considered patched

[jasnow]

@eraffel-MDSol

• 1st comment - the ">" part of the "patched_versions" values means greater and equal to the given value.
• 2nd comment - I agree - see previous response.

[eraffel-MDSol]

@jasnow then shouldn't line 19 be
">= 8.0.4.1, < 8.1"

~> 8.0.4.1 is only going to cover 8.0.4.x, where x is greater than or equal to 1

[jasnow]

My guess is that it follows: https://guides.rubygems.org/patterns/ and it is called pessimistic version constraint.

[eraffel-MDSol]

I'm confused. I'm saying that this PR is not correct and was hoping you'd update the file. Do you want me to open a fix?

[jasnow]

I'm confused. I'm saying that this PR is not correct and was hoping you'd update the file. Do you want me to open a fix?

what's wrong with it?

[eraffel-MDSol]

See screenshot below. 8.0.5 should not be considered vulnerable for this CVE. If you look at the affected versions on the CVE (GHSA-p9fm-f462-ggrg), 8.0.5 doesn't fall into any of those ranges. I think line 19 in the PR should change, probably as per my comment above:

">= 8.0.4.1, < 8.1"

[jasnow]

I will let @postmodern answer this question.

[postmodern]

I am going to change the ~> X.Y.Z.W patched versions to ~> X.Y.Z, >= X.Y.Z.W, which should allow for versions greater than X.Y.Z.W but less than X.Y+1.0.