Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2025-11-25 17:24:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.14147 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Tue Nov 25 17:24:53 2025 rev:19 rq:1319964 version:2.2.21
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2025-10-16 17:39:51.875220133 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.14147/rubygem-rack-2.2.changes
2025-11-25 17:25:28.588379565 +0100
@@ -1,0 +2,9 @@
+Tue Nov 25 10:37:00 UTC 2025 - Eduardo Navarro <[email protected]>
+
+- update to version 2.2.21
+
+ * Multipart parser: limit MIME header size check to the unread buffer region
+ to avoid false multipart mime part header too large errors when previously
+ read data accumulates in the scan buffer.
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.20.gem
New:
----
rack-2.2.21.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.dYjUOs/_old 2025-11-25 17:25:29.408414149 +0100
+++ /var/tmp/diff_new_pack.dYjUOs/_new 2025-11-25 17:25:29.412414318 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.20
+Version: 2.2.21
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-2.2.20.gem -> rack-2.2.21.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
+++ new/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
@@ -2,6 +2,12 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.21] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region
to avoid false `multipart mime part header too large` errors when previously
read data accumulates in the scan buffer.
([#2392](https://github.com/rack/rack/pull/2392),
[@alpaca-tc](https://github.com/alpaca-tc),
[@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
## [2.2.20] - 2025-10-10
### Security
@@ -9,6 +15,13 @@
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper
handling of headers in `Rack::Sendfile` may allow proxy bypass.
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm)
Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+## [2.2.20] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region
to avoid false `multipart mime part header too large` errors when previously
read data accumulates in the scan buffer.
([#2392](https://github.com/rack/rack/pull/2392),
[@alpaca-tc](https://github.com/alpaca-tc),
[@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
+
## [2.2.19] - 2025-10-07
### Security
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/multipart/parser.rb 1980-01-02 01:00:00.000000000 +0100
@@ -314,7 +314,7 @@
else
# We raise if the mime part header is too large, to avoid unbounded
memory
# buffering. Note that the actual limit is the higher of 64KB and
the buffer size (1MB by default)
- raise EOFError, "multipart mime part header too large" if
@sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+ raise EOFError, "multipart mime part header too large" if
@sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
return :want_read
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.20"
+ RELEASE = "2.2.21"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 1980-01-02 01:00:00.000000000 +0100
+++ new/metadata 1980-01-02 01:00:00.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.20
+ version: 2.2.21
platform: ruby
authors:
- Leah Neukirchen
