Hello community,
here is the log from the commit of package rubygem-actionpack-6.0 for
openSUSE:Factory checked in at 2019-12-21 12:31:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.6675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-6.0"
Sat Dec 21 12:31:40 2019 rev:4 rq:758385 version:6.0.2.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes
2019-12-14 12:23:50.731195099 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.6675/rubygem-actionpack-6.0.changes
2019-12-21 12:32:10.787386017 +0100
@@ -1,0 +2,12 @@
+Fri Dec 20 04:19:39 UTC 2019 - Manuel Schnitzer <[email protected]>
+
+- updated to version 6.0.2.1
+
+ * Fix possible information leak / session hijacking vulnerability.
+
+ The ActionDispatch::Session::MemcacheStore is still vulnerable given it
requires the
+ gem dalli to be updated as well.
+
+ (CVE-2019-16782)
+
+-------------------------------------------------------------------
Old:
----
actionpack-6.0.2.gem
New:
----
actionpack-6.0.2.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-6.0.spec ++++++
--- /var/tmp/diff_new_pack.EzebHL/_old 2019-12-21 12:32:11.459386336 +0100
+++ /var/tmp/diff_new_pack.EzebHL/_new 2019-12-21 12:32:11.499386355 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-6.0
-Version: 6.0.2
+Version: 6.0.2.1
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-6.0.2.gem -> actionpack-6.0.2.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2019-12-13 19:07:49.000000000 +0100
+++ new/CHANGELOG.md 2019-12-18 20:07:16.000000000 +0100
@@ -1,3 +1,13 @@
+## Rails 6.0.2.1 (December 18, 2019) ##
+
+* Fix possible information leak / session hijacking vulnerability.
+
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it
requires the
+ gem dalli to be updated as well.
+
+ CVE-2019-16782.
+
+
## Rails 6.0.2 (December 13, 2019) ##
* Allow using mountable engine route helpers in System Tests.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/abstract_store.rb
new/lib/action_dispatch/middleware/session/abstract_store.rb
--- old/lib/action_dispatch/middleware/session/abstract_store.rb
2019-12-13 19:07:49.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/abstract_store.rb
2019-12-18 20:07:16.000000000 +0100
@@ -83,7 +83,21 @@
include SessionObject
private
+ def set_cookie(request, session_id, cookie)
+ request.cookie_jar[key] = cookie
+ end
+ end
+ class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
+ include Compatibility
+ include StaleSessionCheck
+ include SessionObject
+
+ def generate_sid
+ Rack::Session::SessionId.new(super)
+ end
+
+ private
def set_cookie(request, session_id, cookie)
request.cookie_jar[key] = cookie
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/cache_store.rb
new/lib/action_dispatch/middleware/session/cache_store.rb
--- old/lib/action_dispatch/middleware/session/cache_store.rb 2019-12-13
19:07:49.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/cache_store.rb 2019-12-18
20:07:16.000000000 +0100
@@ -12,7 +12,7 @@
# * <tt>cache</tt> - The cache to use. If it is not specified,
<tt>Rails.cache</tt> will be used.
# * <tt>expire_after</tt> - The length of time a session will be stored
before automatically expiring.
# By default, the <tt>:expires_in</tt> option of the cache is used.
- class CacheStore < AbstractStore
+ class CacheStore < AbstractSecureStore
def initialize(app, options = {})
@cache = options[:cache] || Rails.cache
options[:expire_after] ||= @cache.options[:expires_in]
@@ -21,7 +21,7 @@
# Get a session from the cache.
def find_session(env, sid)
- unless sid && (session = @cache.read(cache_key(sid)))
+ unless sid && (session = get_session_with_fallback(sid))
sid, session = generate_sid, {}
end
[sid, session]
@@ -29,7 +29,7 @@
# Set a session in the cache.
def write_session(env, sid, session, options)
- key = cache_key(sid)
+ key = cache_key(sid.private_id)
if session
@cache.write(key, session, expires_in: options[:expire_after])
else
@@ -40,14 +40,19 @@
# Remove a session from the cache.
def delete_session(env, sid, options)
- @cache.delete(cache_key(sid))
+ @cache.delete(cache_key(sid.private_id))
+ @cache.delete(cache_key(sid.public_id))
generate_sid
end
private
# Turn the session id into a cache key.
- def cache_key(sid)
- "_session_id:#{sid}"
+ def cache_key(id)
+ "_session_id:#{id}"
+ end
+
+ def get_session_with_fallback(sid)
+ @cache.read(cache_key(sid.private_id)) ||
@cache.read(cache_key(sid.public_id))
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/cookie_store.rb
new/lib/action_dispatch/middleware/session/cookie_store.rb
--- old/lib/action_dispatch/middleware/session/cookie_store.rb 2019-12-13
19:07:49.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/cookie_store.rb 2019-12-18
20:07:16.000000000 +0100
@@ -46,7 +46,16 @@
# would set the session cookie to expire automatically 14 days after
creation.
# Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
# <tt>:httponly</tt>.
- class CookieStore < AbstractStore
+ class CookieStore < AbstractSecureStore
+ class SessionId < DelegateClass(Rack::Session::SessionId)
+ attr_reader :cookie_value
+
+ def initialize(session_id, cookie_value = {})
+ super(session_id)
+ @cookie_value = cookie_value
+ end
+ end
+
def initialize(app, options = {})
super(app, options.merge!(cookie_only: true))
end
@@ -54,7 +63,7 @@
def delete_session(req, session_id, options)
new_sid = generate_sid unless options[:drop]
# Reset hash and Assign the new session id
- req.set_header("action_dispatch.request.unsigned_session_cookie",
new_sid ? { "session_id" => new_sid } : {})
+ req.set_header("action_dispatch.request.unsigned_session_cookie",
new_sid ? { "session_id" => new_sid.public_id } : {})
new_sid
end
@@ -62,7 +71,7 @@
stale_session_check! do
data = unpacked_cookie_data(req)
data = persistent_session_id!(data)
- [data["session_id"], data]
+ [Rack::Session::SessionId.new(data["session_id"]), data]
end
end
@@ -70,7 +79,8 @@
def extract_session_id(req)
stale_session_check! do
- unpacked_cookie_data(req)["session_id"]
+ sid = unpacked_cookie_data(req)["session_id"]
+ sid && Rack::Session::SessionId.new(sid)
end
end
@@ -88,13 +98,13 @@
def persistent_session_id!(data, sid = nil)
data ||= {}
- data["session_id"] ||= sid || generate_sid
+ data["session_id"] ||= sid || generate_sid.public_id
data
end
def write_session(req, sid, session_data, options)
- session_data["session_id"] = sid
- session_data
+ session_data["session_id"] = sid.public_id
+ SessionId.new(sid, session_data)
end
def set_cookie(request, session_id, cookie)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/request/session.rb
new/lib/action_dispatch/request/session.rb
--- old/lib/action_dispatch/request/session.rb 2019-12-13 19:07:49.000000000
+0100
+++ new/lib/action_dispatch/request/session.rb 2019-12-18 20:07:16.000000000
+0100
@@ -90,7 +90,13 @@
# +nil+ if the given key is not found in the session.
def [](key)
load_for_read!
- @delegate[key.to_s]
+ key = key.to_s
+
+ if key == "session_id"
+ id&.public_id
+ else
+ @delegate[key]
+ end
end
# Returns the nested value specified by the sequence of keys, returning
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch.rb new/lib/action_dispatch.rb
--- old/lib/action_dispatch.rb 2019-12-13 19:07:49.000000000 +0100
+++ new/lib/action_dispatch.rb 2019-12-18 20:07:16.000000000 +0100
@@ -85,10 +85,11 @@
end
module Session
- autoload :AbstractStore,
"action_dispatch/middleware/session/abstract_store"
- autoload :CookieStore,
"action_dispatch/middleware/session/cookie_store"
- autoload :MemCacheStore,
"action_dispatch/middleware/session/mem_cache_store"
- autoload :CacheStore,
"action_dispatch/middleware/session/cache_store"
+ autoload :AbstractStore,
"action_dispatch/middleware/session/abstract_store"
+ autoload :AbstractSecureStore,
"action_dispatch/middleware/session/abstract_store"
+ autoload :CookieStore,
"action_dispatch/middleware/session/cookie_store"
+ autoload :MemCacheStore,
"action_dispatch/middleware/session/mem_cache_store"
+ autoload :CacheStore,
"action_dispatch/middleware/session/cache_store"
end
mattr_accessor :test_app
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2019-12-13 19:07:49.000000000 +0100
+++ new/lib/action_pack/gem_version.rb 2019-12-18 20:07:17.000000000 +0100
@@ -10,7 +10,7 @@
MAJOR = 6
MINOR = 0
TINY = 2
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2019-12-13 19:07:49.000000000 +0100
+++ new/metadata 2019-12-18 20:07:16.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2019-12-13 00:00:00.000000000 Z
+date: 2019-12-18 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -31,6 +31,9 @@
- - "~>"
- !ruby/object:Gem::Version
version: '2.0'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.0.8
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
@@ -38,6 +41,9 @@
- - "~>"
- !ruby/object:Gem::Version
version: '2.0'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.0.8
- !ruby/object:Gem::Dependency
name: rack-test
requirement: !ruby/object:Gem::Requirement
@@ -92,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.2
+ version: 6.0.2.1
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -304,10 +310,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v6.0.2/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v6.0.2/
+ changelog_uri:
https://github.com/rails/rails/blob/v6.0.2.1/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v6.0.2.1/
mailing_list_uri: https://groups.google.com/forum/#!forum/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v6.0.2/actionpack
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.2.1/actionpack
post_install_message:
rdoc_options: []
require_paths:
