Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2025-10-16 17:39:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.18484 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Thu Oct 16 17:39:07 2025 rev:18 rq:1311616 version:2.2.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2025-10-09 15:09:25.370014165 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.18484/rubygem-rack-2.2.changes
2025-10-16 17:39:51.875220133 +0200
@@ -1,0 +2,7 @@
+Tue Oct 14 13:32:37 UTC 2025 - Aleksei Burlakov <[email protected]>
+
+- update to version 2.2.20 (bsc#1251936)
+
+ * [CVE-2025-61919] application/x-www-form-urlencoded`, calling
`rack.input.read(nil)` without enforcing a length or cap
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.19.gem
New:
----
rack-2.2.20.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.afzO19/_old 2025-10-16 17:39:52.463244880 +0200
+++ /var/tmp/diff_new_pack.afzO19/_new 2025-10-16 17:39:52.467245048 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.19
+Version: 2.2.20
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-2.2.19.gem -> rack-2.2.20.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
+++ new/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
@@ -2,6 +2,13 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.20] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper
handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm)
Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
## [2.2.19] - 2025-10-07
### Security
@@ -14,7 +21,7 @@
### Security
--
[CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion via semicolon-separated parameters.
+- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion via semicolon-separated parameters.
## [2.2.17] - 2025-06-03
@@ -32,26 +39,26 @@
### Security
--
[CVE-2025-32441](https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g)
Rack session can be restored after deletion.
--
[CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion.
+- [CVE-2025-32441](https://github.com/advisories/GHSA-vpfw-47h7-xj4g) Rack
session can be restored after deletion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion.
## [2.2.13] - 2025-03-11
### Security
--
[CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v)
Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local
file inclusion in `Rack::Static`.
## [2.2.12] - 2025-03-04
### Security
--
[CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v)
Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible
Log Injection in `Rack::Sendfile`.
## [2.2.11] - 2025-02-12
### Security
--
[CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg)
Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible
Log Injection in `Rack::CommonLogger`.
## [2.2.10] - 2024-10-14
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/query_parser.rb new/lib/rack/query_parser.rb
--- old/lib/rack/query_parser.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/query_parser.rb 1980-01-02 01:00:00.000000000 +0100
@@ -51,6 +51,8 @@
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
private_constant :PARAMS_LIMIT
+ attr_reader :bytesize_limit
+
def initialize(params_class, key_space_limit, param_depth_limit,
bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
@params_class = params_class
@key_space_limit = key_space_limit
@@ -185,7 +187,7 @@
def check_query_string(qs, sep)
if qs
if qs.bytesize > @bytesize_limit
- raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds
limit (#{@bytesize_limit})"
+ raise QueryLimitError, "total query size exceeds limit
(#{@bytesize_limit})"
end
if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >=
@params_limit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb
--- old/lib/rack/request.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/request.rb 1980-01-02 01:00:00.000000000 +0100
@@ -444,7 +444,10 @@
get_header(RACK_REQUEST_FORM_HASH)
elsif form_data? || parseable_data?
unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
- form_vars = get_header(RACK_INPUT).read
+ # Add 2 bytes. One to check whether it is over the limit, and a
second
+ # in case the slice! call below removes the last byte
+ # If read returns nil, use the empty string
+ form_vars =
get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
# Fix for Safari Ajax postings that always append \0
# form_vars.sub!(/\0\z/, '') # performance replacement:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/sendfile.rb new/lib/rack/sendfile.rb
--- old/lib/rack/sendfile.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/sendfile.rb 1980-01-02 01:00:00.000000000 +0100
@@ -40,18 +40,23 @@
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
- # proxy_set_header X-Sendfile-Type X-Accel-Redirect;
# proxy_set_header X-Accel-Mapping /var/www/=/files/;
#
# proxy_pass http://127.0.0.1:8080/;
# }
#
- # Note that the X-Sendfile-Type header must be set exactly as shown above.
# The X-Accel-Mapping header should specify the location on the file system,
# followed by an equals sign (=), followed name of the private URL pattern
# that it maps to. The middleware performs a simple substitution on the
# resulting path.
#
+ # To enable X-Accel-Redirect, you must configure the middleware explicitly:
+ #
+ # use Rack::Sendfile, "X-Accel-Redirect"
+ #
+ # For security reasons, the X-Sendfile-Type header from requests is ignored.
+ # The sendfile variation must be set via the middleware constructor.
+ #
# See Also:
https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
#
# === lighttpd
@@ -96,13 +101,25 @@
# X-Accel-Mapping header. Mappings should be provided in tuples of internal
to
# external. The internal values may contain regular expression syntax, they
# will be matched with case indifference.
+ #
+ # When X-Accel-Redirect is explicitly enabled via the variation parameter,
+ # and no application-level mappings are provided, the middleware will read
+ # the X-Accel-Mapping header from the proxy. This allows nginx to control
+ # the path mapping without requiring application-level configuration.
+ #
+ # === Security
+ #
+ # For security reasons, the X-Sendfile-Type header from HTTP requests is
+ # ignored. The sendfile variation must be explicitly configured via the
+ # middleware constructor to prevent information disclosure vulnerabilities
+ # where attackers could bypass proxy restrictions.
class Sendfile
def initialize(app, variation = nil, mappings = [])
@app = app
@variation = variation
@mappings = mappings.map do |internal, external|
- [/^#{internal}/i, external]
+ [/\A#{internal}/i, external]
end
end
@@ -140,22 +157,35 @@
end
private
+
def variation(env)
- @variation ||
- env['sendfile.type'] ||
- env['HTTP_X_SENDFILE_TYPE']
+ # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security
reasons.
+ # Attackers could use this header to enable x-accel-redirect and bypass
proxy restrictions.
+ @variation || env['sendfile.type']
+ end
+
+ def x_accel_mapping(env)
+ # Only allow header when:
+ # 1. X-Accel-Redirect is explicitly enabled via constructor.
+ # 2. No application-level mappings are configured.
+ return nil unless @variation =~ /x-accel-redirect/i
+ return nil if @mappings.any?
+
+ env['HTTP_X_ACCEL_MAPPING']
end
def map_accel_path(env, path)
if mapping = @mappings.find { |internal, _| internal =~ path }
- path.sub(*mapping)
- elsif mapping = env['HTTP_X_ACCEL_MAPPING']
+ return path.sub(*mapping)
+ elsif mapping = x_accel_mapping(env)
+ # Safe to use header: explicit config + no app mappings:
mapping.split(',').map(&:strip).each do |m|
internal, external = m.split('=', 2).map(&:strip)
- new_path = path.sub(/^#{internal}/i, external)
+ new_path = path.sub(/\A#{internal}/i, external)
return new_path unless path == new_path
end
- path
+
+ return path
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.19"
+ RELEASE = "2.2.20"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 1980-01-02 01:00:00.000000000 +0100
+++ new/metadata 1980-01-02 01:00:00.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.19
+ version: 2.2.20
platform: ruby
authors:
- Leah Neukirchen
