Hello community, here is the log from the commit of package rubygem-puma for openSUSE:Factory checked in at 2020-05-28 09:19:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-puma (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-puma" Thu May 28 09:19:09 2020 rev:37 rq:809489 version:4.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-puma/rubygem-puma.changes 2020-03-04 09:43:29.638038856 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma.new.3606/rubygem-puma.changes 2020-05-28 09:19:09.589191287 +0200 @@ -1,0 +2,8 @@ +Wed May 27 11:04:58 UTC 2020 - Manuel Schnitzer <[email protected]> + +- updated to version 4.3.5 + + * CVE-2020-11076, CVE-2020-11077: Fixed two separate HTTP smuggling + vulnerabilities that used the Transfer-Encoding header + +------------------------------------------------------------------- Old: ---- puma-4.3.3.gem New: ---- puma-4.3.5.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-puma.spec ++++++ --- /var/tmp/diff_new_pack.RoQIx7/_old 2020-05-28 09:19:10.021192079 +0200 +++ /var/tmp/diff_new_pack.RoQIx7/_new 2020-05-28 09:19:10.025192086 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-puma -Version: 4.3.3 +Version: 4.3.5 Release: 0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++++++ puma-4.3.3.gem -> puma-4.3.5.gem ++++++ Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ext/puma_http11/http11_parser.c new/ext/puma_http11/http11_parser.c --- old/ext/puma_http11/http11_parser.c 2020-02-28 20:20:22.000000000 +0100 +++ new/ext/puma_http11/http11_parser.c 2020-05-20 00:34:24.000000000 +0200 @@ -14,12 +14,14 @@ /* * capitalizes all lower-case ASCII characters, - * converts dashes to underscores. + * converts dashes to underscores, and underscores to commas. */ static void snake_upcase_char(char *c) { if (*c >= 'a' && *c <= 'z') *c &= ~0x20; + else if (*c == '_') + *c = ','; else if (*c == '-') *c = '_'; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ext/puma_http11/http11_parser.rl new/ext/puma_http11/http11_parser.rl --- old/ext/puma_http11/http11_parser.rl 2020-02-28 20:20:22.000000000 +0100 +++ new/ext/puma_http11/http11_parser.rl 2020-05-20 00:34:24.000000000 +0200 @@ -12,12 +12,14 @@ /* * capitalizes all lower-case ASCII characters, - * converts dashes to underscores. + * converts dashes to underscores, and underscores to commas. */ static void snake_upcase_char(char *c) { if (*c >= 'a' && *c <= 'z') *c &= ~0x20; + else if (*c == '_') + *c = ','; else if (*c == '-') *c = '_'; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/client.rb new/lib/puma/client.rb --- old/lib/puma/client.rb 2020-02-28 20:20:22.000000000 +0100 +++ new/lib/puma/client.rb 2020-05-20 00:34:24.000000000 +0200 @@ -285,8 +285,16 @@ te = @env[TRANSFER_ENCODING2] - if te && CHUNKED.casecmp(te) == 0 - return setup_chunked_body(body) + if te + if te.include?(",") + te.split(",").each do |part| + if CHUNKED.casecmp(part.strip) == 0 + return setup_chunked_body(body) + end + end + elsif CHUNKED.casecmp(te) == 0 + return setup_chunked_body(body) + end end @chunked_body = false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb --- old/lib/puma/const.rb 2020-02-28 20:20:22.000000000 +0100 +++ new/lib/puma/const.rb 2020-05-20 00:34:24.000000000 +0200 @@ -100,7 +100,7 @@ # too taxing on performance. module Const - PUMA_VERSION = VERSION = "4.3.3".freeze + PUMA_VERSION = VERSION = "4.3.5".freeze CODE_NAME = "Mysterious Traveller".freeze PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb --- old/lib/puma/server.rb 2020-02-28 20:20:22.000000000 +0100 +++ new/lib/puma/server.rb 2020-05-20 00:34:24.000000000 +0200 @@ -672,6 +672,37 @@ } end + # Fixup any headers with , in the name to have _ now. We emit + # headers with , in them during the parse phase to avoid ambiguity + # with the - to _ conversion for critical headers. But here for + # compatibility, we'll convert them back. This code is written to + # avoid allocation in the common case (ie there are no headers + # with , in their names), that's why it has the extra conditionals. + + to_delete = nil + to_add = nil + + env.each do |k,v| + if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING" + if to_delete + to_delete << k + else + to_delete = [k] + end + + unless to_add + to_add = {} + end + + to_add[k.gsub(",", "_")] = v + end + end + + if to_delete + to_delete.each { |k| env.delete(k) } + env.merge! to_add + end + # A rack extension. If the app writes #call'ables to this # array, we will invoke them when the request is done. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-02-28 20:20:22.000000000 +0100 +++ new/metadata 2020-05-20 00:34:24.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: puma version: !ruby/object:Gem::Version - version: 4.3.3 + version: 4.3.5 platform: ruby authors: - Evan Phoenix autorequire: bindir: bin cert_chain: [] -date: 2020-02-28 00:00:00.000000000 Z +date: 2020-05-19 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nio4r @@ -136,7 +136,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.1.2 +rubygems_version: 3.0.3 signing_key: specification_version: 4 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
