commit rubygem-websocket-extensions for openSUSE:Factory

root Sun, 07 Jun 2020 12:40:17 -0700

Hello community,

here is the log from the commit of package rubygem-websocket-extensions for 
openSUSE:Factory checked in at 2020-06-07 21:39:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-websocket-extensions (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-websocket-extensions.new.3606 
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rubygem-websocket-extensions"

Sun Jun  7 21:39:17 2020 rev:4 rq:812217 version:0.1.5

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-websocket-extensions/rubygem-websocket-extensions.changes
        2019-06-30 10:22:33.415718591 +0200
+++ 
/work/SRC/openSUSE:Factory/.rubygem-websocket-extensions.new.3606/rubygem-websocket-extensions.changes
      2020-06-07 21:39:26.453663608 +0200
@@ -1,0 +2,7 @@
+Sun Jun  7 10:57:23 UTC 2020 - Manuel Schnitzer <mschnit...@suse.com>
+
+- updated to version 0.1.5
+
+  * CVE-2020-7663: Remove a ReDoS vulnerability in the header parser 
(bsc#1172445)
+
+-------------------------------------------------------------------

Old:
----
  websocket-extensions-0.1.4.gem

New:
----
  websocket-extensions-0.1.5.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-websocket-extensions.spec ++++++
--- /var/tmp/diff_new_pack.nMpNej/_old  2020-06-07 21:39:27.241666105 +0200
+++ /var/tmp/diff_new_pack.nMpNej/_new  2020-06-07 21:39:27.245666118 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package rubygem-websocket-extensions
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           rubygem-websocket-extensions
-Version:        0.1.4
+Version:        0.1.5
 Release:        0
 %define mod_name websocket-extensions
 %define mod_full_name %{mod_name}-%{version}
@@ -26,7 +26,7 @@
 BuildRequires:  %{rubygem rdoc > 3.10}
 BuildRequires:  %{ruby}
 BuildRequires:  ruby-macros >= 5
-Url:            https://github.com/faye/websocket-extensions-ruby
+URL:            https://github.com/faye/websocket-extensions-ruby
 Source:         https://rubygems.org/gems/%{mod_full_name}.gem
 Summary:        Generic extension manager for WebSocket connections
 License:        Apache-2.0

++++++ websocket-extensions-0.1.4.gem -> websocket-extensions-0.1.5.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2019-06-10 13:37:02.000000000 +0200
+++ new/CHANGELOG.md    2020-06-02 14:59:42.000000000 +0200
@@ -1,6 +1,11 @@
+### 0.1.5 / 2020-06-02
+
+- Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)
+
 ### 0.1.4 / 2019-06-10
 
 - Fix a deprecation warning for using the `=~` operator on `true`
+- Change license from MIT to Apache 2.0
 
 ### 0.1.3 / 2017-11-11
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/LICENSE.md new/LICENSE.md
--- old/LICENSE.md      2019-06-10 13:37:02.000000000 +0200
+++ new/LICENSE.md      2020-06-02 14:59:42.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright 2014-2019 James Coglan
+Copyright 2014-2020 James Coglan
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 this file except in compliance with the License. You may obtain a copy of the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md       2019-06-10 13:37:02.000000000 +0200
+++ new/README.md       2020-06-02 14:59:42.000000000 +0200
@@ -227,8 +227,8 @@
 
 ```rb
 ext.create_server_session([
-  {'server_no_context_takeover' => true, 'server_max_window_bits' => 8},
-  {'server_max_window_bits' => 15}
+  { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 },
+  { 'server_max_window_bits' => 15 }
 ])
 ```
 
@@ -244,8 +244,8 @@
 ```rb
 client_session.generate_offer
 # e.g.  -> [
-#            {'server_no_context_takeover' => true, 'server_max_window_bits' 
=> 8},
-#            {'server_max_window_bits' => 15}
+#            { 'server_no_context_takeover' => true, 'server_max_window_bits' 
=> 8 },
+#            { 'server_max_window_bits' => 15 }
 #          ]
 ```
 
@@ -270,7 +270,7 @@
 
 ```rb
 server_session.generate_response
-# e.g.  -> {'server_max_window_bits' => 8}
+# e.g.  -> { 'server_max_window_bits' => 8 }
 ```
 
 This returns the set of parameters the server session wants to send in its
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/websocket/extensions/parser.rb 
new/lib/websocket/extensions/parser.rb
--- old/lib/websocket/extensions/parser.rb      2019-06-10 13:37:02.000000000 
+0200
+++ new/lib/websocket/extensions/parser.rb      2020-06-02 14:59:42.000000000 
+0200
@@ -6,10 +6,10 @@
     class Parser
       TOKEN    = /([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)/
       NOTOKEN  = /([^!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z])/
-      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
-      PARAM    = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
-      EXT      = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
-      EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
+      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
+      PARAM    = %r{#{ TOKEN.source }(?:=(?:#{ TOKEN.source }|#{ QUOTED.source 
}))?}
+      EXT      = %r{#{ TOKEN.source }(?: *; *#{ PARAM.source })*}
+      EXT_LIST = %r{^#{ EXT.source }(?: *, *#{ EXT.source })*$}
       NUMBER   = /^-?(0|[1-9][0-9]*)(\.[0-9]+)?$/
 
       ParseError = Class.new(ArgumentError)
@@ -19,7 +19,7 @@
         return offers if header == '' or header.nil?
 
         unless header =~ EXT_LIST
-          raise ParseError, "Invalid Sec-WebSocket-Extensions header: 
#{header}"
+          raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{ 
header }"
         end
 
         scanner = StringScanner.new(header)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/websocket/extensions.rb 
new/lib/websocket/extensions.rb
--- old/lib/websocket/extensions.rb     2019-06-10 13:37:02.000000000 +0200
+++ new/lib/websocket/extensions.rb     2020-06-02 14:59:42.000000000 +0200
@@ -38,7 +38,7 @@
       end
 
       if @by_name.has_key?(ext.name)
-        raise TypeError, %Q{An extension with name "#{ext.name}" is already 
registered}
+        raise TypeError, %Q{An extension with name "#{ ext.name }" is already 
registered}
       end
 
       @by_name[ext.name] = ext
@@ -78,18 +78,18 @@
 
       responses.each_offer do |name, params|
         unless record = @index[name]
-          raise ExtensionError, %Q{Server sent am extension response for 
unknown extension "#{name}"}
+          raise ExtensionError, %Q{Server sent am extension response for 
unknown extension "#{ name } }
         end
 
         ext, session = *record
 
         if reserved = reserved?(ext)
-          raise ExtensionError, %Q{Server sent two extension responses that 
use the RSV#{reserved[0]} } +
-                               %Q{ bit: "#{reserved[1]}" and "#{ext.name}"}
+          raise ExtensionError, %Q{Server sent two extension responses that 
use the RSV#{ reserved[0] }} +
+                                %Q{bit: "#{ reserved[1] }" and "#{ ext.name }"}
         end
 
         unless session.activate(params) == true
-          raise ExtensionError, %Q{Server send unacceptable extension 
parameters: #{Parser.serialize_params(name, params)}}
+          raise ExtensionError, %Q{Server send unacceptable extension 
parameters: #{ Parser.serialize_params(name, params) }}
         end
 
         reserve(ext)
@@ -118,7 +118,7 @@
     end
 
     def valid_frame_rsv(frame)
-      allowed = {:rsv1 => false, :rsv2 => false, :rsv3 => false}
+      allowed = { :rsv1 => false, :rsv2 => false, :rsv3 => false }
 
       if MESSAGE_OPCODES.include?(frame.opcode)
         @sessions.each do |ext, session|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2019-06-10 13:37:02.000000000 +0200
+++ new/metadata        2020-06-02 14:59:42.000000000 +0200
@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: websocket-extensions
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - James Coglan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-10 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -59,7 +59,7 @@
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Generic extension manager for WebSocket connections

commit rubygem-websocket-extensions for openSUSE:Factory

Reply via email to