Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-json-jwt for
openSUSE:Factory checked in at 2022-10-30 18:28:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-json-jwt (Old)
and /work/SRC/openSUSE:Factory/.rubygem-json-jwt.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-json-jwt"
Sun Oct 30 18:28:53 2022 rev:11 rq:1032146 version:1.16.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-json-jwt/rubygem-json-jwt.changes
2022-10-13 15:45:11.163094094 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-json-jwt.new.2275/rubygem-json-jwt.changes
2022-10-30 18:29:08.710484629 +0100
@@ -1,0 +2,6 @@
+Fri Oct 28 04:59:49 UTC 2022 - Stephan Kulow <[email protected]>
+
+updated to version 1.16.1
+ no changelog found
+
+-------------------------------------------------------------------
Old:
----
json-jwt-1.16.0.gem
New:
----
json-jwt-1.16.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-json-jwt.spec ++++++
--- /var/tmp/diff_new_pack.qPKM2j/_old 2022-10-30 18:29:09.214487352 +0100
+++ /var/tmp/diff_new_pack.qPKM2j/_new 2022-10-30 18:29:09.218487374 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-json-jwt
-Version: 1.16.0
+Version: 1.16.1
Release: 0
%define mod_name json-jwt
%define mod_full_name %{mod_name}-%{version}
@@ -49,7 +49,7 @@
%install
%gem_install \
- --doc-files="LICENSE README.md" \
+ --doc-files="CHANGELOG.md LICENSE README.md" \
-f
%gem_packages
++++++ json-jwt-1.16.0.gem -> json-jwt-1.16.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 1970-01-01 01:00:00.000000000 +0100
+++ new/CHANGELOG.md 2022-10-20 11:25:34.000000000 +0200
@@ -0,0 +1,11 @@
+## [Unreleased]
+
+## [1.16.0] - 2022-10-08
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+* Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/VERSION new/VERSION
--- old/VERSION 2022-10-08 16:15:36.000000000 +0200
+++ new/VERSION 2022-10-20 11:25:34.000000000 +0200
@@ -1 +1 @@
-1.16.0
\ No newline at end of file
+1.16.1
\ No newline at end of file
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/json/jwe.rb new/lib/json/jwe.rb
--- old/lib/json/jwe.rb 2022-10-08 16:15:36.000000000 +0200
+++ new/lib/json/jwe.rb 2022-10-20 11:25:34.000000000 +0200
@@ -43,9 +43,12 @@
raise UnexpectedAlgorithm.new('Unexpected alg header') unless
algorithms.blank? || Array(algorithms).include?(alg)
raise UnexpectedAlgorithm.new('Unexpected enc header') unless
encryption_methods.blank? || Array(encryption_methods).include?(enc)
self.private_key_or_secret = with_jwk_support private_key_or_secret
- cipher.decrypt
self.content_encryption_key = decrypt_content_encryption_key
self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
+
+ verify_cbc_authentication_tag! if cbc?
+
+ cipher.decrypt
cipher.key = encryption_key
cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
if gcm?
@@ -54,8 +57,15 @@
cipher.auth_tag = authentication_tag
cipher.auth_data = auth_data
end
- self.plain_text = cipher.update(cipher_text) + cipher.final
- verify_cbc_authentication_tag! if cbc?
+
+ begin
+ self.plain_text = cipher.update(cipher_text) + cipher.final
+ rescue OpenSSL::OpenSSLError
+ # Ensure that the same error is raised for invalid PKCS7 padding
+ # as for invalid signatures. This prevents padding-oracle attacks.
+ raise DecryptionFailed
+ end
+
self
end
@@ -244,7 +254,7 @@
sha_digest, mac_key, secured_input
)[0, sha_size / 2 / 8]
unless secure_compare(authentication_tag, expected_authentication_tag)
- raise DecryptionFailed.new('Invalid authentication tag')
+ raise DecryptionFailed
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-10-08 16:15:36.000000000 +0200
+++ new/metadata 2022-10-20 11:25:34.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: json-jwt
version: !ruby/object:Gem::Version
- version: 1.16.0
+ version: 1.16.1
platform: ruby
authors:
- nov matake
-autorequire:
+autorequire:
bindir: bin
cert_chain: []
-date: 2022-10-08 00:00:00.000000000 Z
+date: 2022-10-20 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -163,6 +163,7 @@
- ".gitignore"
- ".gitmodules"
- ".rspec"
+- CHANGELOG.md
- Gemfile
- LICENSE
- README.md
@@ -181,7 +182,7 @@
licenses:
- MIT
metadata: {}
-post_install_message:
+post_install_message:
rdoc_options: []
require_paths:
- lib
@@ -196,8 +197,8 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.1.6
-signing_key:
+rubygems_version: 3.3.7
+signing_key:
specification_version: 4
summary: JSON Web Token and its family (JSON Web Signature, JSON Web
Encryption and
JSON Web Key) in Ruby
