Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hawk2 for openSUSE:Factory checked in at 2026-03-03 15:30:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hawk2 (Old) and /work/SRC/openSUSE:Factory/.hawk2.new.29461 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hawk2" Tue Mar 3 15:30:51 2026 rev:36 rq:1335868 version:2.7.0+git.1772201206.4725acc7 Changes: -------- --- /work/SRC/openSUSE:Factory/hawk2/hawk2.changes 2026-02-17 17:59:19.339882791 +0100 +++ /work/SRC/openSUSE:Factory/.hawk2.new.29461/hawk2.changes 2026-03-03 15:31:33.054577879 +0100 @@ -1,0 +2,12 @@ +Mon Mar 02 15:38:34 UTC 2026 - Aleksei Burlakov <[email protected]> + +- Update to version 2.7.0+git.1772201206.4725acc7: + * bump rubygem rack to 3.2.5 (bsc#1258453,bsc#125854,bsc#125857,bsc#125858) + * Test: add leap16.0 hawk-node + * Fix: nodes `Clear state` doesn't depend on Fencing + * Test: build the hypervisor `hawk-examiner` runtime + * Test: make e2e selenium-v4 compatible + * Test: build `hawk-node` run-time + * Fix: don't inflect/capitalize FENCING + +------------------------------------------------------------------- Old: ---- hawk2-2.7.0+git.1771332649.1644092c.tar.bz2 rack-3.2.4.gem New: ---- hawk2-2.7.0+git.1772201206.4725acc7.tar.bz2 rack-3.2.5.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hawk2.spec ++++++ --- /var/tmp/diff_new_pack.43Jsl9/_old 2026-03-03 15:31:36.858734760 +0100 +++ /var/tmp/diff_new_pack.43Jsl9/_new 2026-03-03 15:31:36.862734925 +0100 @@ -1,7 +1,7 @@ # # spec file for package hawk2 # -# Copyright (c) 2026 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,7 +41,7 @@ Summary: HA Web Konsole License: GPL-2.0-only Group: %{pkg_group} -Version: 2.7.0+git.1771332649.1644092c +Version: 2.7.0+git.1772201206.4725acc7 Release: 0 URL: http://www.clusterlabs.org/wiki/Hawk Source: %{name}-%{version}.tar.bz2 @@ -110,7 +110,7 @@ Source62: psych-5.3.1.gem Source63: puma-7.1.0.gem Source64: racc-1.8.1.gem -Source65: rack-3.2.4.gem +Source65: rack-3.2.5.gem Source66: rack-session-2.1.1.gem Source67: rack-test-2.2.0.gem Source68: rackup-2.3.1.gem @@ -176,12 +176,12 @@ Provides: group(%{gname}) BuildRequires: distribution-release -BuildRequires: timezone -BuildRequires: make BuildRequires: gcc-c++ -BuildRequires: ruby-devel -BuildRequires: libyaml-devel BuildRequires: libxslt-devel +BuildRequires: libyaml-devel +BuildRequires: make +BuildRequires: ruby-devel +BuildRequires: timezone BuildRequires: rubygem(%{rb_build_abi}:bundler) Requires: rubygem(%{rb_build_abi}:bundler) @@ -335,7 +335,6 @@ %postun %service_del_postun hawk.service hawk-backend.service - %files -f hawk.lang %if %{defined _sysusersdir} ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.43Jsl9/_old 2026-03-03 15:31:37.078743833 +0100 +++ /var/tmp/diff_new_pack.43Jsl9/_new 2026-03-03 15:31:37.082743998 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/ClusterLabs/hawk.git</param> - <param name="changesrevision">8e9884f3bd31649932a342b1664eb1cf481d663e</param></service></servicedata> + <param name="changesrevision">4725acc7fdc79b7812d5b210e07d4ce0a69d9604</param></service></servicedata> (No newline at EOF) ++++++ gemfile-lock.patch ++++++ --- /var/tmp/diff_new_pack.43Jsl9/_old 2026-03-03 15:31:37.222749772 +0100 +++ /var/tmp/diff_new_pack.43Jsl9/_new 2026-03-03 15:31:37.226749937 +0100 @@ -203,7 +203,7 @@ + puma (7.1.0) + nio4r (~> 2.0) + racc (1.8.1) -+ rack (3.2.4) ++ rack (3.2.5) + rack-session (2.1.1) + base64 (>= 0.1.0) + rack (>= 3.0.0) @@ -374,7 +374,7 @@ + psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974 + puma (7.1.0) sha256=e45c10cb124f224d448c98db653a75499794edbecadc440ad616cf50f2fd49dd + racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f -+ rack (3.2.4) sha256=5d74b6f75082a643f43c1e76b419c40f0e5527fcfee1e669ac1e6b73c0ccb6f6 ++ rack (3.2.5) sha256=4cbd0974c0b79f7a139b4812004a62e4c60b145cba76422e288ee670601ed6d3 + rack-session (2.1.1) sha256=0b6dc07dea7e4b583f58a48e8b806d4c9f1c6c9214ebc202ec94562cbea2e4e9 + rack-test (2.2.0) sha256=005a36692c306ac0b4a9350355ee080fd09ddef1148a5f8b2ac636c720f5c463 + rackup (2.3.1) sha256=6c79c26753778e90983761d677a48937ee3192b3ffef6bc963c0950f94688868 ++++++ hawk2-2.7.0+git.1771332649.1644092c.tar.bz2 -> hawk2-2.7.0+git.1772201206.4725acc7.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/hawk2/hawk2-2.7.0+git.1771332649.1644092c.tar.bz2 /work/SRC/openSUSE:Factory/.hawk2.new.29461/hawk2-2.7.0+git.1772201206.4725acc7.tar.bz2 differ: char 11, line 1 ++++++ rack-3.2.4.gem -> rack-3.2.5.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100 +++ new/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100 @@ -2,6 +2,17 @@ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). +## Unreleased + +### Security + +- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`. +- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`. + +### Fixed + +- Fix `Rack::MockResponse#body` when the body is a Proc. ([#2420](https://github.com/rack/rack/pull/2420), [#2423](https://github.com/rack/rack/pull/2423), [@tavianator](https://github.com/tavianator), [@ioquatix]) + ## [3.2.4] - 2025-11-03 ### Fixed Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/directory.rb new/lib/rack/directory.rb --- old/lib/rack/directory.rb 1980-01-02 01:00:00.000000000 +0100 +++ new/lib/rack/directory.rb 1980-01-02 01:00:00.000000000 +0100 @@ -17,7 +17,7 @@ # If +app+ is not specified, a Rack::Files of the same +root+ will be used. class Directory - DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n" + DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n" DIR_PAGE_HEADER = <<-PAGE <html><head> <title>%s</title> @@ -82,6 +82,7 @@ # Set the root directory and application for serving files. def initialize(root, app = nil) @root = ::File.expand_path(root) + @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}" @app = app || Files.new(@root) @head = Head.new(method(:get)) end @@ -118,7 +119,9 @@ # Rack response to use for requests with paths outside the root, or nil if path is inside the root. def check_forbidden(path_info) return unless path_info.include? ".." - return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root) + + expanded_path = ::File.expand_path(::File.join(@root, path_info)) + return if expanded_path == @root || expanded_path.start_with?(@root_with_separator) body = "Forbidden\n" [403, { CONTENT_TYPE => "text/plain", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/mock_response.rb new/lib/rack/mock_response.rb --- old/lib/rack/mock_response.rb 1980-01-02 01:00:00.000000000 +0100 +++ new/lib/rack/mock_response.rb 1980-01-02 01:00:00.000000000 +0100 @@ -1,5 +1,6 @@ # frozen_string_literal: true +require 'stringio' require 'time' require_relative 'response' @@ -82,8 +83,16 @@ # end buffer = @buffered_body = String.new - @body.each do |chunk| - buffer << chunk + begin + if @body.respond_to?(:each) + @body.each do |chunk| + buffer << chunk + end + else + @body.call(StringIO.new(buffer)) + end + ensure + @body.close if @body.respond_to?(:close) end return buffer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb --- old/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100 +++ new/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100 @@ -6,7 +6,7 @@ # See MIT-LICENSE or https://opensource.org/licenses/MIT. module Rack - VERSION = "3.2.4" + VERSION = "3.2.5" RELEASE = VERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 1980-01-02 01:00:00.000000000 +0100 +++ new/metadata 1980-01-02 01:00:00.000000000 +0100 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 3.2.4 + version: 3.2.5 platform: ruby authors: - Leah Neukirchen @@ -156,7 +156,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.6.9 +rubygems_version: 4.0.3 specification_version: 4 summary: A modular Ruby webserver interface. test_files: []
