Hello community, here is the log from the commit of package rubygem-puma for openSUSE:Factory checked in at 2020-03-04 09:41:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-puma (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-puma" Wed Mar 4 09:41:27 2020 rev:36 rq:781166 version:4.3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-puma/rubygem-puma.changes 2019-12-14 12:23:56.775194187 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma.new.26092/rubygem-puma.changes 2020-03-04 09:43:29.638038856 +0100 @@ -1,0 +2,10 @@ +Tue Mar 3 10:37:59 UTC 2020 - Manuel Schnitzer <[email protected]> + +- updated to version 4.3.3 + + # Bugfixes + * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132) + # Security + * Fix: Prevent HTTP Response splitting via CR in early hints. + +------------------------------------------------------------------- Old: ---- puma-4.3.1.gem New: ---- puma-4.3.3.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-puma.spec ++++++ --- /var/tmp/diff_new_pack.7RGoYQ/_old 2020-03-04 09:43:35.526042385 +0100 +++ /var/tmp/diff_new_pack.7RGoYQ/_new 2020-03-04 09:43:35.530042387 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-puma # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-puma -Version: 4.3.1 +Version: 4.3.3 Release: 0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} @@ -36,7 +36,7 @@ BuildRequires: %{rubygem gem2rpm} BuildRequires: ruby-macros >= 5 BuildRequires: update-alternatives -Url: http://puma.io +URL: http://puma.io Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: rubygem-puma-rpmlintrc Source2: gem2rpm.yml ++++++ puma-4.3.1.gem -> puma-4.3.3.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 2019-12-05 08:36:00.000000000 +0100 +++ new/History.md 2020-02-28 20:20:22.000000000 +0100 @@ -6,6 +6,18 @@ * Bugfixes * Your bugfix goes here (#Github Number) + +## 4.3.3 and 3.12.4 / 2020-02-28 + * Bugfixes + * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132) + * Security + * Fix: Prevent HTTP Response splitting via CR in early hints. + +## 4.3.2 and 3.12.3 / 2020-02-27 + +* Security + * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247. + ## 4.3.1 and 3.12.2 / 2019-12-05 * Security Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb --- old/lib/puma/const.rb 2019-12-05 08:36:00.000000000 +0100 +++ new/lib/puma/const.rb 2020-02-28 20:20:22.000000000 +0100 @@ -100,7 +100,7 @@ # too taxing on performance. module Const - PUMA_VERSION = VERSION = "4.3.1".freeze + PUMA_VERSION = VERSION = "4.3.3".freeze CODE_NAME = "Mysterious Traveller".freeze PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze @@ -228,6 +228,7 @@ COLON = ": ".freeze NEWLINE = "\n".freeze + HTTP_INJECTION_REGEX = /[\r\n]/.freeze HIJACK_P = "rack.hijack?".freeze HIJACK = "rack.hijack".freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb --- old/lib/puma/server.rb 2019-12-05 08:36:00.000000000 +0100 +++ new/lib/puma/server.rb 2020-02-28 20:20:22.000000000 +0100 @@ -657,6 +657,7 @@ headers.each_pair do |k, vs| if vs.respond_to?(:to_s) && !vs.to_s.empty? vs.to_s.split(NEWLINE).each do |v| + next if possible_header_injection?(v) fast_write client, "#{k}: #{v}\r\n" end else @@ -758,6 +759,7 @@ headers.each do |k, vs| case k.downcase when CONTENT_LENGTH2 + next if possible_header_injection?(vs) content_length = vs next when TRANSFER_ENCODING @@ -770,6 +772,7 @@ if vs.respond_to?(:to_s) && !vs.to_s.empty? vs.to_s.split(NEWLINE).each do |v| + next if possible_header_injection?(v) lines.append k, colon, v, line_ending end else @@ -1040,5 +1043,10 @@ def shutting_down? @status == :stop || @status == :restart end + + def possible_header_injection?(header_value) + HTTP_INJECTION_REGEX =~ header_value.to_s + end + private :possible_header_injection? end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2019-12-05 08:36:00.000000000 +0100 +++ new/metadata 2020-02-28 20:20:22.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: puma version: !ruby/object:Gem::Version - version: 4.3.1 + version: 4.3.3 platform: ruby authors: - Evan Phoenix autorequire: bindir: bin cert_chain: [] -date: 2019-12-05 00:00:00.000000000 Z +date: 2020-02-28 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nio4r @@ -136,7 +136,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.0.3 +rubygems_version: 3.1.2 signing_key: specification_version: 4 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
