Hello community, here is the log from the commit of package rubygem-websocket-extensions for openSUSE:Factory checked in at 2020-06-07 21:39:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-websocket-extensions (Old) and /work/SRC/openSUSE:Factory/.rubygem-websocket-extensions.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-websocket-extensions" Sun Jun 7 21:39:17 2020 rev:4 rq:812217 version:0.1.5 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-websocket-extensions/rubygem-websocket-extensions.changes 2019-06-30 10:22:33.415718591 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-websocket-extensions.new.3606/rubygem-websocket-extensions.changes 2020-06-07 21:39:26.453663608 +0200 @@ -1,0 +2,7 @@ +Sun Jun 7 10:57:23 UTC 2020 - Manuel Schnitzer <mschnit...@suse.com> + +- updated to version 0.1.5 + + * CVE-2020-7663: Remove a ReDoS vulnerability in the header parser (bsc#1172445) + +------------------------------------------------------------------- Old: ---- websocket-extensions-0.1.4.gem New: ---- websocket-extensions-0.1.5.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-websocket-extensions.spec ++++++ --- /var/tmp/diff_new_pack.nMpNej/_old 2020-06-07 21:39:27.241666105 +0200 +++ /var/tmp/diff_new_pack.nMpNej/_new 2020-06-07 21:39:27.245666118 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-websocket-extensions # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: rubygem-websocket-extensions -Version: 0.1.4 +Version: 0.1.5 Release: 0 %define mod_name websocket-extensions %define mod_full_name %{mod_name}-%{version} @@ -26,7 +26,7 @@ BuildRequires: %{rubygem rdoc > 3.10} BuildRequires: %{ruby} BuildRequires: ruby-macros >= 5 -Url: https://github.com/faye/websocket-extensions-ruby +URL: https://github.com/faye/websocket-extensions-ruby Source: https://rubygems.org/gems/%{mod_full_name}.gem Summary: Generic extension manager for WebSocket connections License: Apache-2.0 ++++++ websocket-extensions-0.1.4.gem -> websocket-extensions-0.1.5.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2019-06-10 13:37:02.000000000 +0200 +++ new/CHANGELOG.md 2020-06-02 14:59:42.000000000 +0200 @@ -1,6 +1,11 @@ +### 0.1.5 / 2020-06-02 + +- Remove a ReDoS vulnerability in the header parser (CVE-2020-7663) + ### 0.1.4 / 2019-06-10 - Fix a deprecation warning for using the `=~` operator on `true` +- Change license from MIT to Apache 2.0 ### 0.1.3 / 2017-11-11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LICENSE.md new/LICENSE.md --- old/LICENSE.md 2019-06-10 13:37:02.000000000 +0200 +++ new/LICENSE.md 2020-06-02 14:59:42.000000000 +0200 @@ -1,4 +1,4 @@ -Copyright 2014-2019 James Coglan +Copyright 2014-2020 James Coglan Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2019-06-10 13:37:02.000000000 +0200 +++ new/README.md 2020-06-02 14:59:42.000000000 +0200 @@ -227,8 +227,8 @@ ```rb ext.create_server_session([ - {'server_no_context_takeover' => true, 'server_max_window_bits' => 8}, - {'server_max_window_bits' => 15} + { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 }, + { 'server_max_window_bits' => 15 } ]) ``` @@ -244,8 +244,8 @@ ```rb client_session.generate_offer # e.g. -> [ -# {'server_no_context_takeover' => true, 'server_max_window_bits' => 8}, -# {'server_max_window_bits' => 15} +# { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 }, +# { 'server_max_window_bits' => 15 } # ] ``` @@ -270,7 +270,7 @@ ```rb server_session.generate_response -# e.g. -> {'server_max_window_bits' => 8} +# e.g. -> { 'server_max_window_bits' => 8 } ``` This returns the set of parameters the server session wants to send in its Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/websocket/extensions/parser.rb new/lib/websocket/extensions/parser.rb --- old/lib/websocket/extensions/parser.rb 2019-06-10 13:37:02.000000000 +0200 +++ new/lib/websocket/extensions/parser.rb 2020-06-02 14:59:42.000000000 +0200 @@ -6,10 +6,10 @@ class Parser TOKEN = /([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)/ NOTOKEN = /([^!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z])/ - QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/ - PARAM = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?} - EXT = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*} - EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$} + QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/ + PARAM = %r{#{ TOKEN.source }(?:=(?:#{ TOKEN.source }|#{ QUOTED.source }))?} + EXT = %r{#{ TOKEN.source }(?: *; *#{ PARAM.source })*} + EXT_LIST = %r{^#{ EXT.source }(?: *, *#{ EXT.source })*$} NUMBER = /^-?(0|[1-9][0-9]*)(\.[0-9]+)?$/ ParseError = Class.new(ArgumentError) @@ -19,7 +19,7 @@ return offers if header == '' or header.nil? unless header =~ EXT_LIST - raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{header}" + raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{ header }" end scanner = StringScanner.new(header) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/websocket/extensions.rb new/lib/websocket/extensions.rb --- old/lib/websocket/extensions.rb 2019-06-10 13:37:02.000000000 +0200 +++ new/lib/websocket/extensions.rb 2020-06-02 14:59:42.000000000 +0200 @@ -38,7 +38,7 @@ end if @by_name.has_key?(ext.name) - raise TypeError, %Q{An extension with name "#{ext.name}" is already registered} + raise TypeError, %Q{An extension with name "#{ ext.name }" is already registered} end @by_name[ext.name] = ext @@ -78,18 +78,18 @@ responses.each_offer do |name, params| unless record = @index[name] - raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{name}"} + raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{ name } } end ext, session = *record if reserved = reserved?(ext) - raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{reserved[0]} } + - %Q{ bit: "#{reserved[1]}" and "#{ext.name}"} + raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{ reserved[0] }} + + %Q{bit: "#{ reserved[1] }" and "#{ ext.name }"} end unless session.activate(params) == true - raise ExtensionError, %Q{Server send unacceptable extension parameters: #{Parser.serialize_params(name, params)}} + raise ExtensionError, %Q{Server send unacceptable extension parameters: #{ Parser.serialize_params(name, params) }} end reserve(ext) @@ -118,7 +118,7 @@ end def valid_frame_rsv(frame) - allowed = {:rsv1 => false, :rsv2 => false, :rsv3 => false} + allowed = { :rsv1 => false, :rsv2 => false, :rsv3 => false } if MESSAGE_OPCODES.include?(frame.opcode) @sessions.each do |ext, session| diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2019-06-10 13:37:02.000000000 +0200 +++ new/metadata 2020-06-02 14:59:42.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: websocket-extensions version: !ruby/object:Gem::Version - version: 0.1.4 + version: 0.1.5 platform: ruby authors: - James Coglan autorequire: bindir: bin cert_chain: [] -date: 2019-06-10 00:00:00.000000000 Z +date: 2020-06-02 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: rspec @@ -59,7 +59,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.0.3 +rubygems_version: 3.1.2 signing_key: specification_version: 4 summary: Generic extension manager for WebSocket connections