Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack for openSUSE:Factory
checked in at 2022-06-01 17:35:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack"
Wed Jun 1 17:35:42 2022 rev:20 rq:980341 version:2.2.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes
2020-06-19 17:26:36.400456387 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-rack.new.1548/rubygem-rack.changes
2022-06-01 17:35:50.170824044 +0200
@@ -1,0 +2,7 @@
+Mon May 30 11:47:53 UTC 2022 - Hendrik Vogelsang <hvo...@suse.com>
+
+- updated to version 2.2.3.1
+ [CVE-2022-30123] Fix shell escaping issue in Common Logger
+ [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.3.gem
New:
----
rack-2.2.3.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack.spec ++++++
--- /var/tmp/diff_new_pack.4NaOwj/_old 2022-06-01 17:35:50.650824611 +0200
+++ /var/tmp/diff_new_pack.4NaOwj/_new 2022-06-01 17:35:50.654824616 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rack
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rack
-Version: 2.2.3
+Version: 2.2.3.1
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-2.2.3.gem -> rack-2.2.3.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-06-16 00:22:45.000000000 +0200
+++ new/CHANGELOG.md 2022-05-27 17:30:06.000000000 +0200
@@ -2,6 +2,11 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.3.1] - 2022-05-27
+
+- [CVE-2022-30123] Fix shell escaping issue in Common Logger
+- [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
## [2.2.3] - 2020-02-11
- [CVE-2020-8184] Only decode cookie values
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SPEC.rdoc new/SPEC.rdoc
--- old/SPEC.rdoc 2020-06-16 00:22:45.000000000 +0200
+++ new/SPEC.rdoc 2022-05-27 17:30:06.000000000 +0200
@@ -42,18 +42,17 @@
<tt>QUERY_STRING</tt>:: The portion of the request URL that
follows the <tt>?</tt>, if any. May be
empty, but is always required!
-<tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
+<tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
+ When combined with <tt>SCRIPT_NAME</tt> and
<tt>PATH_INFO</tt>, these variables can be
used to complete the URL. Note, however,
that <tt>HTTP_HOST</tt>, if present,
should be used in preference to
<tt>SERVER_NAME</tt> for reconstructing
the request URL.
- <tt>SERVER_NAME</tt> can never be an empty
- string, and so is always required.
-<tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
- server is running on. Should be specified if
- the server is running on a non-standard port.
+ <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
+ can never be empty strings, and so
+ are always required.
<tt>HTTP_</tt> Variables:: Variables corresponding to the
client-supplied HTTP request
headers (i.e., variables whose
@@ -123,9 +122,6 @@
is reserved for use with the Rack core distribution and other
accepted specifications and must not be used otherwise.
-The <tt>SERVER_PORT</tt> must be an Integer if set.
-The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
-The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
The environment must not contain the keys
<tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
(use the versions without <tt>HTTP_</tt>).
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/common_logger.rb
new/lib/rack/common_logger.rb
--- old/lib/rack/common_logger.rb 2020-06-16 00:22:45.000000000 +0200
+++ new/lib/rack/common_logger.rb 2022-05-27 17:30:06.000000000 +0200
@@ -60,7 +60,10 @@
length,
Utils.clock_time - began_at ]
+ msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+
logger = @logger || env[RACK_ERRORS]
+
# Standard library logger doesn't support write but it supports << which
actually
# calls to write on the log device without formatting
if logger.respond_to?(:write)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/lint.rb new/lib/rack/lint.rb
--- old/lib/rack/lint.rb 2020-06-16 00:22:45.000000000 +0200
+++ new/lib/rack/lint.rb 2022-05-27 17:30:06.000000000 +0200
@@ -337,7 +337,7 @@
check_hijack env
## * The <tt>REQUEST_METHOD</tt> must be a valid token.
- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
+ assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 2020-06-16 00:22:45.000000000 +0200
+++ new/lib/rack/multipart/parser.rb 2022-05-27 17:30:06.000000000 +0200
@@ -301,8 +301,9 @@
elsif filename = params['filename*']
encoding, _, filename = filename.split("'", 3)
end
- when BROKEN_QUOTED, BROKEN_UNQUOTED
+ when BROKEN
filename = $1
+ filename = $1 if filename =~ /^"(.*)"$/
end
return unless filename
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart.rb new/lib/rack/multipart.rb
--- old/lib/rack/multipart.rb 2020-06-16 00:22:45.000000000 +0200
+++ new/lib/rack/multipart.rb 2022-05-27 17:30:06.000000000 +0200
@@ -16,8 +16,7 @@
TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
- BROKEN_QUOTED =
/^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
- BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
+ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:.*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 2020-06-16 00:22:45.000000000 +0200
+++ new/lib/rack/version.rb 2022-05-27 17:30:06.000000000 +0200
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.3"
+ RELEASE = "2.2.3.1"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-06-16 00:22:45.000000000 +0200
+++ new/metadata 2022-05-27 17:30:06.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.3
+ version: 2.2.3.1
platform: ruby
authors:
- Leah Neukirchen
-autorequire:
+autorequire:
bindir: bin
cert_chain: []
-date: 2020-06-15 00:00:00.000000000 Z
+date: 2022-05-27 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: minitest
@@ -169,7 +169,7 @@
changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
documentation_uri: https://rubydoc.info/github/rack/rack
source_code_uri: https://github.com/rack/rack
-post_install_message:
+post_install_message:
rdoc_options: []
require_paths:
- lib
@@ -184,8 +184,8 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.2.0.pre1
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key:
specification_version: 4
summary: A modular Ruby webserver interface.
test_files: []
