Hello community,
here is the log from the commit of package rubygem-actionpack-5.2 for
openSUSE:Factory checked in at 2019-12-23 22:44:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-5.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.6675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-5.2"
Mon Dec 23 22:44:55 2019 rev:8 rq:758822 version:5.2.4.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-5.2/rubygem-actionpack-5.2.changes
2019-11-30 10:40:40.904148404 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.6675/rubygem-actionpack-5.2.changes
2019-12-23 22:47:36.466071274 +0100
@@ -1,0 +2,6 @@
+Fri Dec 20 15:12:50 UTC 2019 - Marcus Rueckert <[email protected]>
+
+- update to version 5.2.4.1 (CVE-2019-16782):
+ https://weblog.rubyonrails.org/2019/12/18/Rails-5-2-4-1-has-been-released/
+
+-------------------------------------------------------------------
Old:
----
actionpack-5.2.4.gem
New:
----
actionpack-5.2.4.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-5.2.spec ++++++
--- /var/tmp/diff_new_pack.C2YfcX/_old 2019-12-23 22:47:37.462071642 +0100
+++ /var/tmp/diff_new_pack.C2YfcX/_new 2019-12-23 22:47:37.470071645 +0100
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-5.2
-Version: 5.2.4
+Version: 5.2.4.1
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
@@ -36,9 +36,9 @@
%endif
# /MANUAL
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+BuildRequires: ruby-macros >= 5
BuildRequires: %{ruby >= 2.2.2}
BuildRequires: %{rubygem gem2rpm}
-BuildRequires: ruby-macros >= 5
Url: http://rubyonrails.org
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
++++++ actionpack-5.2.4.gem -> actionpack-5.2.4.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2019-11-27 16:40:09.000000000 +0100
+++ new/CHANGELOG.md 2019-12-18 20:00:15.000000000 +0100
@@ -1,3 +1,13 @@
+## Rails 5.2.4.1 (December 18, 2019) ##
+
+* Fix possible information leak / session hijacking vulnerability.
+
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it
requires the
+ gem dalli to be updated as well.
+
+ CVE-2019-16782.
+
+
## Rails 5.2.4 (November 27, 2019) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/abstract_store.rb
new/lib/action_dispatch/middleware/session/abstract_store.rb
--- old/lib/action_dispatch/middleware/session/abstract_store.rb
2019-11-27 16:40:09.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/abstract_store.rb
2019-12-18 20:00:16.000000000 +0100
@@ -83,7 +83,21 @@
include SessionObject
private
+ def set_cookie(request, session_id, cookie)
+ request.cookie_jar[key] = cookie
+ end
+ end
+ class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
+ include Compatibility
+ include StaleSessionCheck
+ include SessionObject
+
+ def generate_sid
+ Rack::Session::SessionId.new(super)
+ end
+
+ private
def set_cookie(request, session_id, cookie)
request.cookie_jar[key] = cookie
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/cache_store.rb
new/lib/action_dispatch/middleware/session/cache_store.rb
--- old/lib/action_dispatch/middleware/session/cache_store.rb 2019-11-27
16:40:09.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/cache_store.rb 2019-12-18
20:00:16.000000000 +0100
@@ -12,7 +12,7 @@
# * <tt>cache</tt> - The cache to use. If it is not specified,
<tt>Rails.cache</tt> will be used.
# * <tt>expire_after</tt> - The length of time a session will be stored
before automatically expiring.
# By default, the <tt>:expires_in</tt> option of the cache is used.
- class CacheStore < AbstractStore
+ class CacheStore < AbstractSecureStore
def initialize(app, options = {})
@cache = options[:cache] || Rails.cache
options[:expire_after] ||= @cache.options[:expires_in]
@@ -21,7 +21,7 @@
# Get a session from the cache.
def find_session(env, sid)
- unless sid && (session = @cache.read(cache_key(sid)))
+ unless sid && (session = get_session_with_fallback(sid))
sid, session = generate_sid, {}
end
[sid, session]
@@ -29,7 +29,7 @@
# Set a session in the cache.
def write_session(env, sid, session, options)
- key = cache_key(sid)
+ key = cache_key(sid.private_id)
if session
@cache.write(key, session, expires_in: options[:expire_after])
else
@@ -40,14 +40,19 @@
# Remove a session from the cache.
def delete_session(env, sid, options)
- @cache.delete(cache_key(sid))
+ @cache.delete(cache_key(sid.private_id))
+ @cache.delete(cache_key(sid.public_id))
generate_sid
end
private
# Turn the session id into a cache key.
- def cache_key(sid)
- "_session_id:#{sid}"
+ def cache_key(id)
+ "_session_id:#{id}"
+ end
+
+ def get_session_with_fallback(sid)
+ @cache.read(cache_key(sid.private_id)) ||
@cache.read(cache_key(sid.public_id))
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/cookie_store.rb
new/lib/action_dispatch/middleware/session/cookie_store.rb
--- old/lib/action_dispatch/middleware/session/cookie_store.rb 2019-11-27
16:40:09.000000000 +0100
+++ new/lib/action_dispatch/middleware/session/cookie_store.rb 2019-12-18
20:00:16.000000000 +0100
@@ -51,7 +51,16 @@
# would set the session cookie to expire automatically 14 days after
creation.
# Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
# <tt>:httponly</tt>.
- class CookieStore < AbstractStore
+ class CookieStore < AbstractSecureStore
+ class SessionId < DelegateClass(Rack::Session::SessionId)
+ attr_reader :cookie_value
+
+ def initialize(session_id, cookie_value = {})
+ super(session_id)
+ @cookie_value = cookie_value
+ end
+ end
+
def initialize(app, options = {})
super(app, options.merge!(cookie_only: true))
end
@@ -59,7 +68,7 @@
def delete_session(req, session_id, options)
new_sid = generate_sid unless options[:drop]
# Reset hash and Assign the new session id
- req.set_header("action_dispatch.request.unsigned_session_cookie",
new_sid ? { "session_id" => new_sid } : {})
+ req.set_header("action_dispatch.request.unsigned_session_cookie",
new_sid ? { "session_id" => new_sid.public_id } : {})
new_sid
end
@@ -67,7 +76,7 @@
stale_session_check! do
data = unpacked_cookie_data(req)
data = persistent_session_id!(data)
- [data["session_id"], data]
+ [Rack::Session::SessionId.new(data["session_id"]), data]
end
end
@@ -75,7 +84,8 @@
def extract_session_id(req)
stale_session_check! do
- unpacked_cookie_data(req)["session_id"]
+ sid = unpacked_cookie_data(req)["session_id"]
+ sid && Rack::Session::SessionId.new(sid)
end
end
@@ -93,13 +103,13 @@
def persistent_session_id!(data, sid = nil)
data ||= {}
- data["session_id"] ||= sid || generate_sid
+ data["session_id"] ||= sid || generate_sid.public_id
data
end
def write_session(req, sid, session_data, options)
- session_data["session_id"] = sid
- session_data
+ session_data["session_id"] = sid.public_id
+ SessionId.new(sid, session_data)
end
def set_cookie(request, session_id, cookie)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/request/session.rb
new/lib/action_dispatch/request/session.rb
--- old/lib/action_dispatch/request/session.rb 2019-11-27 16:40:09.000000000
+0100
+++ new/lib/action_dispatch/request/session.rb 2019-12-18 20:00:16.000000000
+0100
@@ -90,7 +90,13 @@
# +nil+ if the given key is not found in the session.
def [](key)
load_for_read!
- @delegate[key.to_s]
+ key = key.to_s
+
+ if key == "session_id"
+ id&.public_id
+ else
+ @delegate[key]
+ end
end
# Returns true if the session has the given key or false.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch.rb new/lib/action_dispatch.rb
--- old/lib/action_dispatch.rb 2019-11-27 16:40:09.000000000 +0100
+++ new/lib/action_dispatch.rb 2019-12-18 20:00:15.000000000 +0100
@@ -83,10 +83,11 @@
end
module Session
- autoload :AbstractStore,
"action_dispatch/middleware/session/abstract_store"
- autoload :CookieStore,
"action_dispatch/middleware/session/cookie_store"
- autoload :MemCacheStore,
"action_dispatch/middleware/session/mem_cache_store"
- autoload :CacheStore,
"action_dispatch/middleware/session/cache_store"
+ autoload :AbstractStore,
"action_dispatch/middleware/session/abstract_store"
+ autoload :AbstractSecureStore,
"action_dispatch/middleware/session/abstract_store"
+ autoload :CookieStore,
"action_dispatch/middleware/session/cookie_store"
+ autoload :MemCacheStore,
"action_dispatch/middleware/session/mem_cache_store"
+ autoload :CacheStore,
"action_dispatch/middleware/session/cache_store"
end
mattr_accessor :test_app
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2019-11-27 16:40:09.000000000 +0100
+++ new/lib/action_pack/gem_version.rb 2019-12-18 20:00:16.000000000 +0100
@@ -10,7 +10,7 @@
MAJOR = 5
MINOR = 2
TINY = 4
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2019-11-27 16:40:09.000000000 +0100
+++ new/metadata 2019-12-18 20:00:15.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2019-11-27 00:00:00.000000000 Z
+date: 2019-12-18 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -31,6 +31,9 @@
- - "~>"
- !ruby/object:Gem::Version
version: '2.0'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.0.8
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
@@ -38,6 +41,9 @@
- - "~>"
- !ruby/object:Gem::Version
version: '2.0'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.0.8
- !ruby/object:Gem::Dependency
name: rack-test
requirement: !ruby/object:Gem::Requirement
@@ -92,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4
+ version: 5.2.4.1
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -293,8 +299,8 @@
licenses:
- MIT
metadata:
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4/actionpack
- changelog_uri:
https://github.com/rails/rails/blob/v5.2.4/actionpack/CHANGELOG.md
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.1/actionpack
+ changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.1/actionpack/CHANGELOG.md
post_install_message:
rdoc_options: []
require_paths:
