Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-7.0 for
openSUSE:Factory checked in at 2023-03-08 14:52:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-7.0"
Wed Mar 8 14:52:18 2023 rev:7 rq:1067312 version:7.0.4.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-7.0/rubygem-actionpack-7.0.changes
2022-10-12 18:26:28.797926068 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.31432/rubygem-actionpack-7.0.changes
2023-03-08 14:52:22.442611173 +0100
@@ -1,0 +2,25 @@
+Fri Jan 27 13:44:49 UTC 2023 - Valentin Lefebvre <valentin.lefeb...@suse.com>
+
+- Update to version 7.0.4.1
+ see installed CHANGELOG.md
+ fix CVE-2023-22795 (bsc#1207451)
+ fix CVE-2023-22792 (bsc#1207455)
+
+ ## Rails 7.0.4.1 (January 17, 2023) ##
+
+ * Fix sec issue with _url_host_allowed?
+
+ Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+ to malicious sites.
+
+ [CVE-2023-22797]
+
+ * Avoid regex backtracking on If-None-Match header
+
+ [CVE-2023-22795]
+
+ * Use string#split instead of regex for domain parts
+
+ [CVE-2023-22792]
+
+-------------------------------------------------------------------
Old:
----
actionpack-7.0.4.gem
New:
----
actionpack-7.0.4.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-7.0.spec ++++++
--- /var/tmp/diff_new_pack.jmXKhl/_old 2023-03-08 14:52:23.018614309 +0100
+++ /var/tmp/diff_new_pack.jmXKhl/_new 2023-03-08 14:52:23.022614332 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-actionpack-7.0
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-7.0
-Version: 7.0.4
+Version: 7.0.4.1
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-7.0.4.gem -> actionpack-7.0.4.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-09-09 20:42:19.000000000 +0200
+++ new/CHANGELOG.md 2023-01-17 19:54:56.000000000 +0100
@@ -1,3 +1,21 @@
+## Rails 7.0.4.1 (January 17, 2023) ##
+
+* Fix sec issue with _url_host_allowed?
+
+ Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+ to malicious sites.
+
+ [CVE-2023-22797]
+
+* Avoid regex backtracking on If-None-Match header
+
+ [CVE-2023-22795]
+
+* Use string#split instead of regex for domain parts
+
+ [CVE-2023-22792]
+
+
## Rails 7.0.4 (September 09, 2022) ##
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in
`Server-Timing`.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/redirecting.rb
new/lib/action_controller/metal/redirecting.rb
--- old/lib/action_controller/metal/redirecting.rb 2022-09-09
20:42:19.000000000 +0200
+++ new/lib/action_controller/metal/redirecting.rb 2023-01-17
19:54:56.000000000 +0100
@@ -196,7 +196,11 @@
def _url_host_allowed?(url)
host = URI(url.to_s).host
- host == request.host || host.nil? && url.to_s.start_with?("/")
+
+ return true if host == request.host
+ return false unless host.nil?
+ return false unless url.to_s.start_with?("/")
+ return !url.to_s.start_with?("//")
rescue ArgumentError, URI::Error
false
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/cache.rb
new/lib/action_dispatch/http/cache.rb
--- old/lib/action_dispatch/http/cache.rb 2022-09-09 20:42:19.000000000
+0200
+++ new/lib/action_dispatch/http/cache.rb 2023-01-17 19:54:56.000000000
+0100
@@ -18,7 +18,7 @@
end
def if_none_match_etags
- if_none_match ? if_none_match.split(/\s*,\s*/) : []
+ if_none_match ? if_none_match.split(",").each(&:strip!) : []
end
def not_modified?(modified_at)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/cookies.rb
new/lib/action_dispatch/middleware/cookies.rb
--- old/lib/action_dispatch/middleware/cookies.rb 2022-09-09
20:42:19.000000000 +0200
+++ new/lib/action_dispatch/middleware/cookies.rb 2023-01-17
19:54:56.000000000 +0100
@@ -290,20 +290,6 @@
class CookieJar # :nodoc:
include Enumerable, ChainedCookieJars
- # This regular expression is used to split the levels of a domain.
- # The top level domain can be any string without a period or
- # **.**, ***.** style TLDs like co.uk or com.au
- #
- # www.example.co.uk gives:
- # $& => example.co.uk
- #
- # example.com gives:
- # $& => example.com
- #
- # lots.of.subdomains.example.local gives:
- # $& => example.local
- DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
def self.build(req, cookies)
jar = new(req)
jar.update(cookies)
@@ -456,13 +442,35 @@
options[:same_site] ||= cookies_same_site_protection.call(request)
if options[:domain] == :all || options[:domain] == "all"
- # If there is a provided tld length then we use it otherwise
default domain regexp.
- domain_regexp = options[:tld_length] ?
/([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+ cookie_domain = ""
+ dot_splitted_host = request.host.split('.', -1)
+
+ # Case where request.host is not an IP address or it's an invalid
domain
+ # (ip confirms to the domain structure we expect so we explicitly
check for ip)
+ if request.host.match?(/^[\d.]+$/) ||
dot_splitted_host.include?("") || dot_splitted_host.length == 1
+ options[:domain] = nil
+ return
+ end
+
+ # If there is a provided tld length then we use it otherwise
default domain.
+ if options[:tld_length].present?
+ # Case where the tld_length provided is valid
+ if dot_splitted_host.length >= options[:tld_length]
+ cookie_domain =
dot_splitted_host.last(options[:tld_length]).join('.')
+ end
+ # Case where tld_length is not provided
+ else
+ # Regular TLDs
+ if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
+ cookie_domain = dot_splitted_host.last(2).join('.')
+ # **.**, ***.** style TLDs like co.uk and com.au
+ else
+ cookie_domain = dot_splitted_host.last(3).join('.')
+ end
+ end
- # If host is not ip and matches domain regexp.
- # (ip confirms to domain regexp so we explicitly check for ip)
- options[:domain] = if !request.host.match?(/^[\d.]+$/) &&
(request.host =~ domain_regexp)
- ".#{$&}"
+ options[:domain] = if cookie_domain.present?
+ ".#{cookie_domain}"
end
elsif options[:domain].is_a? Array
# If host matches one of the supplied domains.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2022-09-09 20:42:19.000000000 +0200
+++ new/lib/action_pack/gem_version.rb 2023-01-17 19:54:56.000000000 +0100
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 4
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-09-09 20:42:19.000000000 +0200
+++ new/metadata 2023-01-17 19:54:56.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-09-09 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4
+ version: 7.0.4.1
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: da...@loudthinking.com
@@ -310,10 +310,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.4/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionpack
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
@@ -331,7 +331,7 @@
version: '0'
requirements:
- none
-rubygems_version: 3.3.3
+rubygems_version: 3.4.3
signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
