Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-rack for openSUSE:Factory checked in at 2024-02-27 22:49:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack.new.1770 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack" Tue Feb 27 22:49:54 2024 rev:28 rq:1152360 version:3.0.9.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes 2023-11-15 21:08:55.845012613 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-rack.new.1770/rubygem-rack.changes 2024-02-27 22:50:17.254734334 +0100 @@ -1,0 +2,9 @@ +Tue Feb 27 13:35:02 UTC 2024 - [email protected] + +- version update to 3.0.9.1 + * Fixed ReDoS in Accept header parsing [CVE-2024-26146][bsc#1220248] + * Fixed ReDoS in Content Type header parsing [CVE-2024-25126][bsc#1220239] + * Reject Range headers which are too large [CVE-2024-26141][bsc#1220242] + * Fix content-length calcuation in Rack:Response#write #2150 + +------------------------------------------------------------------- Old: ---- rack-3.0.8.gem New: ---- rack-3.0.9.1.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack.spec ++++++ --- /var/tmp/diff_new_pack.DqsChc/_old 2024-02-27 22:50:17.918758401 +0100 +++ /var/tmp/diff_new_pack.DqsChc/_new 2024-02-27 22:50:17.918758401 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-rack # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-rack -Version: 3.0.8 +Version: 3.0.9.1 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} ++++++ rack-3.0.8.gem -> rack-3.0.9.1.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2023-06-14 04:01:33.000000000 +0200 +++ new/CHANGELOG.md 2024-02-21 20:23:53.000000000 +0100 @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). +## Unreleased + +## [3.0.9] - 2024-01-31 + +- Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson]) + +## [3.0.8] - 2023-06-14 + +- Fix some unused variable verbose warnings. ([#2084](https://github.com/rack/rack/pull/2084), [@jeremyevans], [@skipkayhil](https://github.com/skipkayhil)) + ## [3.0.7] - 2023-03-16 - Make query parameters without `=` have `nil` values. ([#2059](https://github.com/rack/rack/pull/2059), [@jeremyevans]) Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/media_type.rb new/lib/rack/media_type.rb --- old/lib/rack/media_type.rb 2023-06-14 04:01:33.000000000 +0200 +++ new/lib/rack/media_type.rb 2024-02-21 20:23:53.000000000 +0100 @@ -4,7 +4,7 @@ # Rack::MediaType parse media type and parameters out of content_type string class MediaType - SPLIT_PATTERN = %r{\s*[;,]\s*} + SPLIT_PATTERN = /[;,]/ class << self # The media type (type/subtype) portion of the CONTENT_TYPE header @@ -15,7 +15,11 @@ # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 def type(content_type) return nil unless content_type - content_type.split(SPLIT_PATTERN, 2).first.tap(&:downcase!) + if type = content_type.split(SPLIT_PATTERN, 2).first + type.rstrip! + type.downcase! + type + end end # The media type parameters provided in CONTENT_TYPE as a Hash, or @@ -27,9 +31,10 @@ return {} if content_type.nil? content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| + s.strip! k, v = s.split('=', 2) - - hsh[k.tap(&:downcase!)] = strip_doublequotes(v) + k.downcase! + hsh[k] = strip_doublequotes(v) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/response.rb new/lib/rack/response.rb --- old/lib/rack/response.rb 2023-06-14 04:01:33.000000000 +0200 +++ new/lib/rack/response.rb 2024-02-21 20:23:53.000000000 +0100 @@ -328,6 +328,8 @@ @body.each do |part| @length += part.to_s.bytesize end + + @buffered = true elsif @body.respond_to?(:each) # Turn the user supplied body into a buffered array: body = @body diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb --- old/lib/rack/utils.rb 2023-06-14 04:01:33.000000000 +0200 +++ new/lib/rack/utils.rb 2024-02-21 20:23:53.000000000 +0100 @@ -143,8 +143,8 @@ end def q_values(q_value_header) - q_value_header.to_s.split(/\s*,\s*/).map do |part| - value, parameters = part.split(/\s*;\s*/, 2) + q_value_header.to_s.split(',').map do |part| + value, parameters = part.split(';', 2).map(&:strip) quality = 1.0 if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) quality = md[1].to_f @@ -157,9 +157,10 @@ return nil unless forwarded_header forwarded_header = forwarded_header.to_s.gsub("\n", ";") - forwarded_header.split(/\s*;\s*/).each_with_object({}) do |field, values| - field.split(/\s*,\s*/).each do |pair| - return nil unless pair =~ /\A\s*(by|for|host|proto)\s*=\s*"?([^"]+)"?\s*\Z/i + forwarded_header.split(';').each_with_object({}) do |field, values| + field.split(',').each do |pair| + pair = pair.split('=').map(&:strip).join('=') + return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i (values[$1.downcase.to_sym] ||= []) << $2 end end @@ -458,6 +459,9 @@ end ranges << (r0..r1) if r0 <= r1 end + + return [] if ranges.map(&:size).sum > size + ranges end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb --- old/lib/rack/version.rb 2023-06-14 04:01:33.000000000 +0200 +++ new/lib/rack/version.rb 2024-02-21 20:23:53.000000000 +0100 @@ -25,7 +25,7 @@ VERSION end - RELEASE = "3.0.8" + RELEASE = "3.0.9.1" # Return the Rack release as a dotted string. def self.release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2023-06-14 04:01:33.000000000 +0200 +++ new/metadata 2024-02-21 20:23:53.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 3.0.8 + version: 3.0.9.1 platform: ruby authors: - Leah Neukirchen autorequire: bindir: bin cert_chain: [] -date: 2023-06-14 00:00:00.000000000 Z +date: 2024-02-21 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: minitest @@ -164,7 +164,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.4.7 +rubygems_version: 3.4.10 signing_key: specification_version: 4 summary: A modular Ruby webserver interface.
