Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-actionpack-7.0 for openSUSE:Factory checked in at 2023-03-08 14:52:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-7.0 (Old) and /work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-7.0" Wed Mar 8 14:52:18 2023 rev:7 rq:1067312 version:7.0.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-actionpack-7.0/rubygem-actionpack-7.0.changes 2022-10-12 18:26:28.797926068 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.31432/rubygem-actionpack-7.0.changes 2023-03-08 14:52:22.442611173 +0100 @@ -1,0 +2,25 @@ +Fri Jan 27 13:44:49 UTC 2023 - Valentin Lefebvre <valentin.lefeb...@suse.com> + +- Update to version 7.0.4.1 + see installed CHANGELOG.md + fix CVE-2023-22795 (bsc#1207451) + fix CVE-2023-22792 (bsc#1207455) + + ## Rails 7.0.4.1 (January 17, 2023) ## + + * Fix sec issue with _url_host_allowed? + + Disallow certain strings from `_url_host_allowed?` to avoid a redirect + to malicious sites. + + [CVE-2023-22797] + + * Avoid regex backtracking on If-None-Match header + + [CVE-2023-22795] + + * Use string#split instead of regex for domain parts + + [CVE-2023-22792] + +------------------------------------------------------------------- Old: ---- actionpack-7.0.4.gem New: ---- actionpack-7.0.4.1.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-7.0.spec ++++++ --- /var/tmp/diff_new_pack.jmXKhl/_old 2023-03-08 14:52:23.018614309 +0100 +++ /var/tmp/diff_new_pack.jmXKhl/_new 2023-03-08 14:52:23.022614332 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-actionpack-7.0 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-actionpack-7.0 -Version: 7.0.4 +Version: 7.0.4.1 Release: 0 %define mod_name actionpack %define mod_full_name %{mod_name}-%{version} ++++++ actionpack-7.0.4.gem -> actionpack-7.0.4.1.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2022-09-09 20:42:19.000000000 +0200 +++ new/CHANGELOG.md 2023-01-17 19:54:56.000000000 +0100 @@ -1,3 +1,21 @@ +## Rails 7.0.4.1 (January 17, 2023) ## + +* Fix sec issue with _url_host_allowed? + + Disallow certain strings from `_url_host_allowed?` to avoid a redirect + to malicious sites. + + [CVE-2023-22797] + +* Avoid regex backtracking on If-None-Match header + + [CVE-2023-22795] + +* Use string#split instead of regex for domain parts + + [CVE-2023-22792] + + ## Rails 7.0.4 (September 09, 2022) ## * Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_controller/metal/redirecting.rb new/lib/action_controller/metal/redirecting.rb --- old/lib/action_controller/metal/redirecting.rb 2022-09-09 20:42:19.000000000 +0200 +++ new/lib/action_controller/metal/redirecting.rb 2023-01-17 19:54:56.000000000 +0100 @@ -196,7 +196,11 @@ def _url_host_allowed?(url) host = URI(url.to_s).host - host == request.host || host.nil? && url.to_s.start_with?("/") + + return true if host == request.host + return false unless host.nil? + return false unless url.to_s.start_with?("/") + return !url.to_s.start_with?("//") rescue ArgumentError, URI::Error false end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_dispatch/http/cache.rb new/lib/action_dispatch/http/cache.rb --- old/lib/action_dispatch/http/cache.rb 2022-09-09 20:42:19.000000000 +0200 +++ new/lib/action_dispatch/http/cache.rb 2023-01-17 19:54:56.000000000 +0100 @@ -18,7 +18,7 @@ end def if_none_match_etags - if_none_match ? if_none_match.split(/\s*,\s*/) : [] + if_none_match ? if_none_match.split(",").each(&:strip!) : [] end def not_modified?(modified_at) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_dispatch/middleware/cookies.rb new/lib/action_dispatch/middleware/cookies.rb --- old/lib/action_dispatch/middleware/cookies.rb 2022-09-09 20:42:19.000000000 +0200 +++ new/lib/action_dispatch/middleware/cookies.rb 2023-01-17 19:54:56.000000000 +0100 @@ -290,20 +290,6 @@ class CookieJar # :nodoc: include Enumerable, ChainedCookieJars - # This regular expression is used to split the levels of a domain. - # The top level domain can be any string without a period or - # **.**, ***.** style TLDs like co.uk or com.au - # - # www.example.co.uk gives: - # $& => example.co.uk - # - # example.com gives: - # $& => example.com - # - # lots.of.subdomains.example.local gives: - # $& => example.local - DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/ - def self.build(req, cookies) jar = new(req) jar.update(cookies) @@ -456,13 +442,35 @@ options[:same_site] ||= cookies_same_site_protection.call(request) if options[:domain] == :all || options[:domain] == "all" - # If there is a provided tld length then we use it otherwise default domain regexp. - domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP + cookie_domain = "" + dot_splitted_host = request.host.split('.', -1) + + # Case where request.host is not an IP address or it's an invalid domain + # (ip confirms to the domain structure we expect so we explicitly check for ip) + if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1 + options[:domain] = nil + return + end + + # If there is a provided tld length then we use it otherwise default domain. + if options[:tld_length].present? + # Case where the tld_length provided is valid + if dot_splitted_host.length >= options[:tld_length] + cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.') + end + # Case where tld_length is not provided + else + # Regular TLDs + if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host)) + cookie_domain = dot_splitted_host.last(2).join('.') + # **.**, ***.** style TLDs like co.uk and com.au + else + cookie_domain = dot_splitted_host.last(3).join('.') + end + end - # If host is not ip and matches domain regexp. - # (ip confirms to domain regexp so we explicitly check for ip) - options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp) - ".#{$&}" + options[:domain] = if cookie_domain.present? + ".#{cookie_domain}" end elsif options[:domain].is_a? Array # If host matches one of the supplied domains. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_pack/gem_version.rb new/lib/action_pack/gem_version.rb --- old/lib/action_pack/gem_version.rb 2022-09-09 20:42:19.000000000 +0200 +++ new/lib/action_pack/gem_version.rb 2023-01-17 19:54:56.000000000 +0100 @@ -10,7 +10,7 @@ MAJOR = 7 MINOR = 0 TINY = 4 - PRE = nil + PRE = "1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2022-09-09 20:42:19.000000000 +0200 +++ new/metadata 2023-01-17 19:54:56.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: actionpack version: !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] -date: 2022-09-09 00:00:00.000000000 Z +date: 2023-01-17 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: activesupport @@ -16,14 +16,14 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 - !ruby/object:Gem::Dependency name: rack requirement: !ruby/object:Gem::Requirement @@ -98,28 +98,28 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 - !ruby/object:Gem::Dependency name: activemodel requirement: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 7.0.4 + version: 7.0.4.1 description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server. email: da...@loudthinking.com @@ -310,10 +310,10 @@ - MIT metadata: bug_tracker_uri: https://github.com/rails/rails/issues - changelog_uri: https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md - documentation_uri: https://api.rubyonrails.org/v7.0.4/ + changelog_uri: https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md + documentation_uri: https://api.rubyonrails.org/v7.0.4.1/ mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk - source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack + source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionpack rubygems_mfa_required: 'true' post_install_message: rdoc_options: [] @@ -331,7 +331,7 @@ version: '0' requirements: - none -rubygems_version: 3.3.3 +rubygems_version: 3.4.3 signing_key: specification_version: 4 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).