Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack for openSUSE:Factory
checked in at 2023-01-23 18:33:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack"
Mon Jan 23 18:33:34 2023 rev:24 rq:1060387 version:3.0.4.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes
2022-12-13 18:57:19.071795836 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-rack.new.32243/rubygem-rack.changes
2023-01-23 18:33:36.384742288 +0100
@@ -1,0 +2,11 @@
+Fri Jan 20 13:25:39 UTC 2023 - Hendrik Vogelsang <hvo...@suse.com>
+
+updated to version 3.0.4.1
+
+[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+For more detailed information see the installed CHANGELOG.md
+
+-------------------------------------------------------------------
Old:
----
rack-3.0.2.gem
New:
----
rack-3.0.4.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack.spec ++++++
--- /var/tmp/diff_new_pack.41NspY/_old 2023-01-23 18:33:36.980746412 +0100
+++ /var/tmp/diff_new_pack.41NspY/_new 2023-01-23 18:33:36.980746412 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rack
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rack
-Version: 3.0.2
+Version: 3.0.4.1
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-3.0.2.gem -> rack-3.0.4.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-12-05 06:12:56.000000000 +0100
+++ new/CHANGELOG.md 2023-01-17 21:47:16.000000000 +0100
@@ -2,7 +2,25 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
-## [3.0.2] -2022-12-05
+## [3.0.4.1] - 2023-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+## [3.0.4] - 2022-01-17
+
+- `Rack::Request#POST` should consistently raise errors. Cache errors that
occur when invoking `Rack::Request#POST` so they can be raised again later.
([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
+- Fix `Rack::Lint` error message for `HTTP_CONTENT_TYPE` and
`HTTP_CONTENT_LENGTH`. ([#2007](https://github.com/rack/rack/pull/2007),
[@byroot](https://github.com/byroot))
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError`
error. ([#2006](https://github.com/rack/rack/pull/2006),
[@byroot](https://github.com/byroot))
+
+## [3.0.3] - 2022-12-27
+
+### Fixed
+
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`.
([#1998](https://github.com/rack/rack/pull/1998),
[@weizheheng](https://github.com/weizheheng))
+
+## [3.0.2] - 2022-12-05
### Fixed
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/constants.rb new/lib/rack/constants.rb
--- old/lib/rack/constants.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/constants.rb 2023-01-17 21:47:16.000000000 +0100
@@ -55,6 +55,7 @@
RACK_REQUEST_FORM_INPUT = 'rack.request.form_input'
RACK_REQUEST_FORM_HASH = 'rack.request.form_hash'
RACK_REQUEST_FORM_VARS = 'rack.request.form_vars'
+ RACK_REQUEST_FORM_ERROR = 'rack.request.form_error'
RACK_REQUEST_COOKIE_HASH = 'rack.request.cookie_hash'
RACK_REQUEST_COOKIE_STRING = 'rack.request.cookie_string'
RACK_REQUEST_QUERY_HASH = 'rack.request.query_hash'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/lint.rb new/lib/rack/lint.rb
--- old/lib/rack/lint.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/lint.rb 2023-01-17 21:47:16.000000000 +0100
@@ -303,7 +303,7 @@
## (use the versions without <tt>HTTP_</tt>).
%w[HTTP_CONTENT_TYPE HTTP_CONTENT_LENGTH].each { |header|
if env.include? header
- raise LintError, "env contains #{header}, must use #{header[5,
-1]}"
+ raise LintError, "env contains #{header}, must use
#{header[5..-1]}"
end
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/method_override.rb
new/lib/rack/method_override.rb
--- old/lib/rack/method_override.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/method_override.rb 2023-01-17 21:47:16.000000000 +0100
@@ -47,7 +47,7 @@
def method_override_param(req)
req.POST[METHOD_OVERRIDE_PARAM_KEY] if req.form_data? ||
req.parseable_data?
- rescue Utils::InvalidParameterError, Utils::ParameterTypeError
+ rescue Utils::InvalidParameterError, Utils::ParameterTypeError,
QueryParser::ParamsTooDeepError
req.get_header(RACK_ERRORS).puts "Invalid or incomplete POST params"
rescue EOFError
req.get_header(RACK_ERRORS).puts "Bad request content body"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/multipart/parser.rb 2023-01-17 21:47:16.000000000 +0100
@@ -23,10 +23,10 @@
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:.*;\s*name=(#{VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb
--- old/lib/rack/request.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/request.rb 2023-01-17 21:47:16.000000000 +0100
@@ -496,26 +496,35 @@
# This method support both application/x-www-form-urlencoded and
# multipart/form-data.
def POST
- if get_header(RACK_INPUT).nil?
- raise "Missing rack.input"
- elsif get_header(RACK_REQUEST_FORM_INPUT) == get_header(RACK_INPUT)
- get_header(RACK_REQUEST_FORM_HASH)
- elsif form_data? || parseable_data?
- unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
- form_vars = get_header(RACK_INPUT).read
+ if error = get_header(RACK_REQUEST_FORM_ERROR)
+ raise error.class, error.message, cause: error.cause
+ end
+
+ begin
+ if get_header(RACK_INPUT).nil?
+ raise "Missing rack.input"
+ elsif get_header(RACK_REQUEST_FORM_INPUT) == get_header(RACK_INPUT)
+ get_header(RACK_REQUEST_FORM_HASH)
+ elsif form_data? || parseable_data?
+ unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
+ form_vars = get_header(RACK_INPUT).read
- # Fix for Safari Ajax postings that always append \0
- # form_vars.sub!(/\0\z/, '') # performance replacement:
- form_vars.slice!(-1) if form_vars.end_with?("\0")
+ # Fix for Safari Ajax postings that always append \0
+ # form_vars.sub!(/\0\z/, '') # performance replacement:
+ form_vars.slice!(-1) if form_vars.end_with?("\0")
- set_header RACK_REQUEST_FORM_VARS, form_vars
- set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
+ set_header RACK_REQUEST_FORM_VARS, form_vars
+ set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
+ end
+ set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
+ get_header RACK_REQUEST_FORM_HASH
+ else
+ set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
+ set_header(RACK_REQUEST_FORM_HASH, {})
end
- set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
- get_header RACK_REQUEST_FORM_HASH
- else
- set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
- set_header(RACK_REQUEST_FORM_HASH, {})
+ rescue => error
+ set_header(RACK_REQUEST_FORM_ERROR, error)
+ raise
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/urlmap.rb new/lib/rack/urlmap.rb
--- old/lib/rack/urlmap.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/urlmap.rb 2023-01-17 21:47:16.000000000 +0100
@@ -37,7 +37,7 @@
end
location = location.chomp('/')
- match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)",
nil, 'n')
+ match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)",
Regexp::NOENCODING)
[host, location, match, app]
}.sort_by do |(host, location, _, _)|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb
--- old/lib/rack/utils.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/utils.rb 2023-01-17 21:47:16.000000000 +0100
@@ -426,17 +426,18 @@
return nil unless http_range && http_range =~ /bytes=([^;]+)/
ranges = []
$1.split(/,\s*/).each do |range_spec|
- return nil unless range_spec =~ /(\d*)-(\d*)/
- r0, r1 = $1, $2
- if r0.empty?
- return nil if r1.empty?
+ return nil unless range_spec.include?('-')
+ range = range_spec.split('-')
+ r0, r1 = range[0], range[1]
+ if r0.nil? || r0.empty?
+ return nil if r1.nil?
# suffix-byte-range-spec, represents trailing suffix of file
r0 = size - r1.to_i
r0 = 0 if r0 < 0
r1 = size - 1
else
r0 = r0.to_i
- if r1.empty?
+ if r1.nil?
r1 = size - 1
else
r1 = r1.to_i
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 2022-12-05 06:12:56.000000000 +0100
+++ new/lib/rack/version.rb 2023-01-17 21:47:16.000000000 +0100
@@ -25,7 +25,7 @@
VERSION
end
- RELEASE = "3.0.2"
+ RELEASE = "3.0.4.1"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-12-05 06:12:56.000000000 +0100
+++ new/metadata 2023-01-17 21:47:16.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 3.0.2
+ version: 3.0.4.1
platform: ruby
authors:
- Leah Neukirchen
autorequire:
bindir: bin
cert_chain: []
-date: 2022-12-05 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: minitest
@@ -164,7 +164,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.1.6
signing_key:
specification_version: 4
summary: A modular Ruby webserver interface.
