Hello community,
here is the log from the commit of package rubygem-actionpack-5.2 for
openSUSE:Factory checked in at 2020-10-05 19:29:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-5.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-5.2"
Mon Oct 5 19:29:14 2020 rev:10 rq:838011 version:5.2.4.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-5.2/rubygem-actionpack-5.2.changes
2020-05-11 13:38:02.596701199 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.4249/rubygem-actionpack-5.2.changes
2020-10-05 19:29:16.656493745 +0200
@@ -1,0 +2,19 @@
+Fri Sep 25 13:19:36 UTC 2020 - Stephan Kulow <[email protected]>
+
+updated to version 5.2.4.4
+ see installed CHANGELOG.md
+
+ ## Rails 5.2.4.4 (September 09, 2020) ##
+
+ * No changes.
+
+
+ ## Rails 5.2.4.3 (May 18, 2020) ##
+
+ * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be
used to reconstruct a per-form token
+
+ * [CVE-2020-8164] Return self when calling #each, #each_pair, and
#each_value instead of the raw @parameters hash
+
+
+
+-------------------------------------------------------------------
Old:
----
actionpack-5.2.4.2.gem
New:
----
actionpack-5.2.4.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-5.2.spec ++++++
--- /var/tmp/diff_new_pack.BxR3AZ/_old 2020-10-05 19:29:17.372494437 +0200
+++ /var/tmp/diff_new_pack.BxR3AZ/_new 2020-10-05 19:29:17.376494441 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-5.2
-Version: 5.2.4.2
+Version: 5.2.4.4
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-5.2.4.2.gem -> actionpack-5.2.4.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-03-19 17:37:03.000000000 +0100
+++ new/CHANGELOG.md 2020-09-09 20:34:59.000000000 +0200
@@ -1,3 +1,15 @@
+## Rails 5.2.4.4 (September 09, 2020) ##
+
+* No changes.
+
+
+## Rails 5.2.4.3 (May 18, 2020) ##
+
+* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be
used to reconstruct a per-form token
+
+* [CVE-2020-8164] Return self when calling #each, #each_pair, and
#each_value instead of the raw @parameters hash
+
+
## Rails 5.2.4.1 (December 18, 2019) ##
* Fix possible information leak / session hijacking vulnerability.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_controller/metal/request_forgery_protection.rb
new/lib/action_controller/metal/request_forgery_protection.rb
--- old/lib/action_controller/metal/request_forgery_protection.rb
2020-03-19 17:37:03.000000000 +0100
+++ new/lib/action_controller/metal/request_forgery_protection.rb
2020-09-09 20:34:59.000000000 +0200
@@ -318,13 +318,15 @@
action_path = normalize_action_path(action)
per_form_csrf_token(session, action_path, method)
else
- real_csrf_token(session)
+ global_csrf_token(session)
end
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
masked_token = one_time_pad + encrypted_csrf_token
- Base64.strict_encode64(masked_token)
+ Base64.urlsafe_encode64(masked_token, padding: false)
+
+ mask_token(raw_token)
end
# Checks the client's masked token to see if it matches the
@@ -354,7 +356,8 @@
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
csrf_token = unmask_token(masked_token)
- compare_with_real_token(csrf_token, session) ||
+ compare_with_global_token(csrf_token, session) ||
+ compare_with_real_token(csrf_token, session) ||
valid_per_form_csrf_token?(csrf_token, session)
else
false # Token is malformed.
@@ -369,10 +372,21 @@
xor_byte_strings(one_time_pad, encrypted_csrf_token)
end
+ def mask_token(raw_token) # :doc:
+ one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+ encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
+ masked_token = one_time_pad + encrypted_csrf_token
+ Base64.strict_encode64(masked_token)
+ end
+
def compare_with_real_token(token, session) # :doc:
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token,
real_csrf_token(session))
end
+ def compare_with_global_token(token, session) # :doc:
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token,
global_csrf_token(session))
+ end
+
def valid_per_form_csrf_token?(token, session) # :doc:
if per_form_csrf_tokens
correct_token = per_form_csrf_token(
@@ -393,10 +407,21 @@
end
def per_form_csrf_token(session, action_path, method) # :doc:
+ csrf_token_hmac(session, [action_path, method.downcase].join("#"))
+ end
+
+ GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
+ private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
+
+ def global_csrf_token(session) # :doc:
+ csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
+ end
+
+ def csrf_token_hmac(session, identifier) # :doc:
OpenSSL::HMAC.digest(
OpenSSL::Digest::SHA256.new,
real_csrf_token(session),
- [action_path, method.downcase].join("#")
+ identifier
)
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/strong_parameters.rb
new/lib/action_controller/metal/strong_parameters.rb
--- old/lib/action_controller/metal/strong_parameters.rb 2020-03-19
17:37:03.000000000 +0100
+++ new/lib/action_controller/metal/strong_parameters.rb 2020-09-09
20:34:59.000000000 +0200
@@ -337,6 +337,8 @@
@parameters.each_pair do |key, value|
yield [key, convert_hashes_to_parameters(key, value)]
end
+
+ self
end
alias_method :each, :each_pair
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2020-03-19 17:37:04.000000000 +0100
+++ new/lib/action_pack/gem_version.rb 2020-09-09 20:34:59.000000000 +0200
@@ -10,7 +10,7 @@
MAJOR = 5
MINOR = 2
TINY = 4
- PRE = "2"
+ PRE = "4"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-03-19 17:37:03.000000000 +0100
+++ new/metadata 2020-09-09 20:34:59.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2020-03-19 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -299,8 +299,8 @@
licenses:
- MIT
metadata:
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.2/actionpack
- changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.2/actionpack/CHANGELOG.md
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/actionpack
+ changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.4/actionpack/CHANGELOG.md
post_install_message:
rdoc_options: []
require_paths:
@@ -317,7 +317,7 @@
version: '0'
requirements:
- none
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
