Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2023-01-23 18:33:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Mon Jan 23 18:33:48 2023 rev:2 rq:1060431 version:2.2.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2022-10-11 18:05:27.126075330 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.32243/rubygem-rack-2.2.changes
2023-01-23 18:33:50.052836870 +0100
@@ -1,0 +2,11 @@
+Mon Jan 23 13:56:08 UTC 2023 - Hendrik Vogelsang <[email protected]>
+
+- updated to version 2.2.6.2
+
+[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+See installed CHANGELOG.md for more changes
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.4.gem
New:
----
rack-2.2.6.2.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.XIFmh3/_old 2023-01-23 18:33:50.548840303 +0100
+++ /var/tmp/diff_new_pack.XIFmh3/_new 2023-01-23 18:33:50.556840359 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rack-2.2
#
-# Copyright (c) 2022 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.4
+Version: 2.2.6.2
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
@@ -38,11 +38,11 @@
%endif
# /MANUAL
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: ruby-macros >= 5
BuildRequires: %{ruby >= 2.3.0}
BuildRequires: %{rubygem gem2rpm}
+BuildRequires: ruby-macros >= 5
BuildRequires: update-alternatives
-Url: https://github.com/rack/rack
+URL: https://github.com/rack/rack
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: rubygem-rack-rpmlintrc
Source2: gem2rpm.yml
@@ -71,7 +71,6 @@
%fdupes %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/
# /MANUAL
-
%gem_packages
%changelog
++++++ rack-2.2.4.gem -> rack-2.2.6.2.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-07-01 00:19:47.000000000 +0200
+++ new/CHANGELOG.md 2023-01-17 22:22:12.000000000 +0100
@@ -2,6 +2,25 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.6.2] - 2022-01-17
+
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+## [2.2.6.1] - 2022-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+## [2.2.6] - 2022-01-17
+
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError`
error. ([#2011](https://github.com/rack/rack/pull/2011),
[@byroot](https://github.com/byroot))
+
+## [2.2.5] - 2022-12-27
+
+### Fixed
+
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`.
([#1998](https://github.com/rack/rack/pull/1998),
[@weizheheng](https://github.com/weizheheng))
+
## [2.2.4] - 2022-06-30
- Better support for lower case headers in `Rack::ETag` middleware.
([#1919](https://github.com/rack/rack/pull/1919),
[@ioquatix](https://github.com/ioquatix))
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/method_override.rb
new/lib/rack/method_override.rb
--- old/lib/rack/method_override.rb 2022-07-01 00:19:47.000000000 +0200
+++ new/lib/rack/method_override.rb 2023-01-17 22:22:12.000000000 +0100
@@ -43,7 +43,7 @@
def method_override_param(req)
req.POST[METHOD_OVERRIDE_PARAM_KEY]
- rescue Utils::InvalidParameterError, Utils::ParameterTypeError
+ rescue Utils::InvalidParameterError, Utils::ParameterTypeError,
QueryParser::ParamsTooDeepError
req.get_header(RACK_ERRORS).puts "Invalid or incomplete POST params"
rescue EOFError
req.get_header(RACK_ERRORS).puts "Bad request content body"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart.rb new/lib/rack/multipart.rb
--- old/lib/rack/multipart.rb 2022-07-01 00:19:47.000000000 +0200
+++ new/lib/rack/multipart.rb 2023-01-17 22:22:12.000000000 +0100
@@ -18,10 +18,10 @@
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:.*;\s*name=(#{VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/urlmap.rb new/lib/rack/urlmap.rb
--- old/lib/rack/urlmap.rb 2022-07-01 00:19:47.000000000 +0200
+++ new/lib/rack/urlmap.rb 2023-01-17 22:22:12.000000000 +0100
@@ -35,7 +35,7 @@
end
location = location.chomp('/')
- match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)",
nil, 'n')
+ match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)",
Regexp::NOENCODING)
[host, location, match, app]
}.sort_by do |(host, location, _, _)|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb
--- old/lib/rack/utils.rb 2022-07-01 00:19:47.000000000 +0200
+++ new/lib/rack/utils.rb 2023-01-17 22:22:12.000000000 +0100
@@ -348,17 +348,18 @@
return nil unless http_range && http_range =~ /bytes=([^;]+)/
ranges = []
$1.split(/,\s*/).each do |range_spec|
- return nil unless range_spec =~ /(\d*)-(\d*)/
- r0, r1 = $1, $2
- if r0.empty?
- return nil if r1.empty?
+ return nil unless range_spec.include?('-')
+ range = range_spec.split('-')
+ r0, r1 = range[0], range[1]
+ if r0.nil? || r0.empty?
+ return nil if r1.nil?
# suffix-byte-range-spec, represents trailing suffix of file
r0 = size - r1.to_i
r0 = 0 if r0 < 0
r1 = size - 1
else
r0 = r0.to_i
- if r1.empty?
+ if r1.nil?
r1 = size - 1
else
r1 = r1.to_i
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 2022-07-01 00:19:47.000000000 +0200
+++ new/lib/rack/version.rb 2023-01-17 22:22:12.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.4"
+ RELEASE = "2.2.6.2"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-07-01 00:19:47.000000000 +0200
+++ new/metadata 2023-01-17 22:22:12.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.4
+ version: 2.2.6.2
platform: ruby
authors:
- Leah Neukirchen
-autorequire:
+autorequire:
bindir: bin
cert_chain: []
-date: 2022-06-30 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: minitest
@@ -169,7 +169,7 @@
changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
documentation_uri: https://rubydoc.info/github/rack/rack
source_code_uri: https://github.com/rack/rack
-post_install_message:
+post_install_message:
rdoc_options: []
require_paths:
- lib
@@ -184,8 +184,8 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.0.3.1
-signing_key:
+rubygems_version: 3.5.0.dev
+signing_key:
specification_version: 4
summary: A modular Ruby webserver interface.
test_files: []
