Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hawk2 for openSUSE:Factory checked in at 2025-05-12 16:51:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hawk2 (Old) and /work/SRC/openSUSE:Factory/.hawk2.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hawk2" Mon May 12 16:51:33 2025 rev:23 rq:1276757 version:2.7.0+git.1742310530.bfcd0e2c Changes: -------- --- /work/SRC/openSUSE:Factory/hawk2/hawk2.changes 2025-05-05 22:57:30.743285433 +0200 +++ /work/SRC/openSUSE:Factory/.hawk2.new.30101/hawk2.changes 2025-05-12 16:55:23.025039260 +0200 @@ -1,0 +2,9 @@ +Sun May 11 12:01:02 UTC 2025 - Aleksei Burlakov <[email protected]> + +- bump ruby gem rack-session to 2.1.1 (bsc#1242927) + * rack-session-2.1.1.gem + +- bump ruby gem rack to 3.1.14 (bsc#1242892,bsc#1242894) + * rack-3.1.14.gem + +------------------------------------------------------------------- Old: ---- rack-3.1.12.gem rack-session-2.1.0.gem New: ---- rack-3.1.14.gem rack-session-2.1.1.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hawk2.spec ++++++ --- /var/tmp/diff_new_pack.SkrJkq/_old 2025-05-12 16:55:24.621105322 +0200 +++ /var/tmp/diff_new_pack.SkrJkq/_new 2025-05-12 16:55:24.621105322 +0200 @@ -71,8 +71,8 @@ Source23: loofah-2.24.0.gem Source24: rails-html-sanitizer-1.6.2.gem Source25: actionview-8.0.2.gem -Source26: rack-3.1.12.gem -Source27: rack-session-2.1.0.gem +Source26: rack-3.1.14.gem +Source27: rack-session-2.1.1.gem Source28: rack-test-2.2.0.gem Source29: useragent-0.16.11.gem Source30: actionpack-8.0.2.gem ++++++ gemfile-lock.patch ++++++ --- /var/tmp/diff_new_pack.SkrJkq/_old 2025-05-12 16:55:24.817113435 +0200 +++ /var/tmp/diff_new_pack.SkrJkq/_new 2025-05-12 16:55:24.821113601 +0200 @@ -196,8 +196,8 @@ + puma (6.6.0) + nio4r (~> 2.0) + racc (1.8.1) -+ rack (3.1.12) -+ rack-session (2.1.0) ++ rack (3.1.14) ++ rack-session (2.1.1) + base64 (>= 0.1.0) + rack (>= 3.0.0) + rack-test (2.2.0) ++++++ rack-3.1.12.gem -> rack-3.1.14.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2025-03-10 22:22:08.000000000 +0100 +++ new/CHANGELOG.md 2025-05-06 23:35:14.000000000 +0200 @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). +## [3.1.14] - 2025-05-06 + +### Security + +- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion. + +## [3.1.13] - 2025-04-13 + +- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix]) + ## [3.1.12] - 2025-03-11 ### Security @@ -129,6 +139,16 @@ - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman]) +## [3.0.16] - 2025-05-06 + +### Security + +- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion. + +## [3.0.15] - 2025-04-13 + +- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix]) + ## [3.0.14] - 2025-03-11 ### Security @@ -323,6 +343,12 @@ - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm)) - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst)) +## [2.2.14] - 2025-05-06 + +### Security + +- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion. + ## [2.2.13] - 2025-03-11 ### Security diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2025-03-10 22:22:08.000000000 +0100 +++ new/README.md 2025-05-06 23:35:14.000000000 +0200 @@ -183,6 +183,33 @@ Rack exposes several configuration parameters to control various features of the implementation. +### `RACK_QUERY_PARSER_BYTESIZE_LIMIT` + +This environment variable sets the default for the maximum query string bytesize +that `Rack::QueryParser` will attempt to parse. Attempts to use a query string +that exceeds this number of bytes will result in a +`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is +provided, it must be an integer, or `Rack::QueryParser` will raise an exception. + +The default limit can be overridden on a per-`Rack::QueryParser` basis using +the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`. + +### `RACK_QUERY_PARSER_PARAMS_LIMIT` + +This environment variable sets the default for the maximum number of query +parameters that `Rack::QueryParser` will attempt to parse. Attempts to use a +query string with more than this many query parameters will result in a +`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is +provided, it must be an integer, or `Rack::QueryParser` will raise an exception. + +The default limit can be overridden on a per-`Rack::QueryParser` basis using +the `params_limit` keyword argument when creating the `Rack::QueryParser`. + +This is implemented by counting the number of parameter separators in the +query string, before attempting parsing, so if the same parameter key is +used multiple times in the query, each counts as a separate parameter for +this check. + ### `param_depth_limit` ```ruby Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/etag.rb new/lib/rack/etag.rb --- old/lib/rack/etag.rb 2025-03-10 22:22:08.000000000 +0100 +++ new/lib/rack/etag.rb 2025-05-06 23:35:14.000000000 +0200 @@ -32,6 +32,9 @@ body = body.to_ary digest = digest_body(body) headers[ETAG_STRING] = %(W/"#{digest}") if digest + + # Body was modified, so we need to re-assign it: + response[2] = body end unless headers[CACHE_CONTROL] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/query_parser.rb new/lib/rack/query_parser.rb --- old/lib/rack/query_parser.rb 2025-03-10 22:22:08.000000000 +0100 +++ new/lib/rack/query_parser.rb 2025-05-06 23:35:14.000000000 +0200 @@ -21,21 +21,47 @@ include BadRequest end - # ParamsTooDeepError is the error that is raised when params are recursively - # nested over the specified limit. - class ParamsTooDeepError < RangeError + # QueryLimitError is for errors raised when the query provided exceeds one + # of the query parser limits. + class QueryLimitError < RangeError include BadRequest end - def self.make_default(param_depth_limit) - new Params, param_depth_limit + # ParamsTooDeepError is the old name for the error that is raised when params + # are recursively nested over the specified limit. Make it the same as + # as QueryLimitError, so that code that rescues ParamsTooDeepError error + # to handle bad query strings also now handles other limits. + ParamsTooDeepError = QueryLimitError + + def self.make_default(param_depth_limit, **options) + new(Params, param_depth_limit, **options) end attr_reader :param_depth_limit - def initialize(params_class, param_depth_limit) + env_int = lambda do |key, val| + if str_val = ENV[key] + begin + val = Integer(str_val, 10) + rescue ArgumentError + raise ArgumentError, "non-integer value provided for environment variable #{key}" + end + end + + val + end + + BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304) + private_constant :BYTESIZE_LIMIT + + PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096) + private_constant :PARAMS_LIMIT + + def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT) @params_class = params_class @param_depth_limit = param_depth_limit + @bytesize_limit = bytesize_limit + @params_limit = params_limit end # Stolen from Mongrel, with some small modifications: @@ -47,7 +73,7 @@ params = make_params - (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p| + check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p| next if p.empty? k, v = p.split('=', 2).map!(&unescaper) @@ -74,7 +100,7 @@ params = make_params unless qs.nil? || qs.empty? - (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p| + check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map! { |s| unescape(s) } _normalize_params(params, k, v, 0) @@ -189,6 +215,22 @@ true end + def check_query_string(qs, sep) + if qs + if qs.bytesize > @bytesize_limit + raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" + end + + if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit + raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})" + end + + qs + else + '' + end + end + def unescape(string, encoding = Encoding::UTF_8) URI.decode_www_form_component(string, encoding) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb --- old/lib/rack/version.rb 2025-03-10 22:22:08.000000000 +0100 +++ new/lib/rack/version.rb 2025-05-06 23:35:14.000000000 +0200 @@ -12,7 +12,7 @@ # so it should be enough just to <tt>require 'rack'</tt> in your code. module Rack - RELEASE = "3.1.12" + RELEASE = "3.1.14" # Return the Rack release as a dotted string. def self.release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2025-03-10 22:22:08.000000000 +0100 +++ new/metadata 2025-05-06 23:35:14.000000000 +0200 @@ -1,13 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 3.1.12 + version: 3.1.14 platform: ruby authors: - Leah Neukirchen +autorequire: bindir: bin cert_chain: [] -date: 2025-03-10 00:00:00.000000000 Z +date: 2025-05-06 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: minitest @@ -142,6 +143,7 @@ changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md documentation_uri: https://rubydoc.info/github/rack/rack source_code_uri: https://github.com/rack/rack +post_install_message: rdoc_options: [] require_paths: - lib @@ -156,7 +158,8 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.6.2 +rubygems_version: 3.5.22 +signing_key: specification_version: 4 summary: A modular Ruby webserver interface. test_files: [] ++++++ rack-session-2.1.0.gem -> rack-session-2.1.1.gem ++++++ Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/session/pool.rb new/lib/rack/session/pool.rb --- old/lib/rack/session/pool.rb 2025-01-04 08:40:53.000000000 +0100 +++ new/lib/rack/session/pool.rb 2025-05-06 12:54:56.000000000 +0200 @@ -53,6 +53,7 @@ def write_session(req, session_id, new_session, options) @mutex.synchronize do + return false unless get_session_with_fallback(session_id) @pool.store session_id.private_id, new_session session_id end @@ -62,7 +63,12 @@ @mutex.synchronize do @pool.delete(session_id.public_id) @pool.delete(session_id.private_id) - generate_sid(use_mutex: false) unless options[:drop] + + unless options[:drop] + sid = generate_sid(use_mutex: false) + @pool.store(sid.private_id, {}) + sid + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/session/version.rb new/lib/rack/session/version.rb --- old/lib/rack/session/version.rb 2025-01-04 08:40:53.000000000 +0100 +++ new/lib/rack/session/version.rb 2025-05-06 12:54:56.000000000 +0200 @@ -5,6 +5,6 @@ module Rack module Session - VERSION = "2.1.0" + VERSION = "2.1.1" end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2025-01-04 08:40:53.000000000 +0100 +++ new/metadata 2025-05-06 12:54:56.000000000 +0200 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: rack-session version: !ruby/object:Gem::Version - version: 2.1.0 + version: 2.1.1 platform: ruby authors: - Samuel Williams @@ -11,7 +11,7 @@ autorequire: bindir: bin cert_chain: [] -date: 2025-01-04 00:00:00.000000000 Z +date: 2025-05-06 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: base64 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/releases.md new/releases.md --- old/releases.md 2025-01-04 08:40:53.000000000 +0100 +++ new/releases.md 2025-05-06 12:54:56.000000000 +0200 @@ -1,5 +1,9 @@ # Releases +## v2.1.1 + + - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj). + ## v2.1.0 - Improved compatibility with Ruby 3.3+ and Rack 3+.
