Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-rack-2.2 for openSUSE:Factory checked in at 2023-03-15 18:56:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2" Wed Mar 15 18:56:04 2023 rev:4 rq:1072043 version:2.2.6.4 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes 2023-03-14 18:17:26.567987773 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.31432/rubygem-rack-2.2.changes 2023-03-15 18:56:12.104924065 +0100 @@ -1,0 +2,7 @@ +Wed Mar 15 08:19:14 UTC 2023 - Daniel Donisa <daniel.don...@suse.com> + +- updated to version 2.2.6.4 + + [CVE-2023-27539] Avoid ReDoS in header parsing + +------------------------------------------------------------------- Old: ---- rack-2.2.6.3.gem New: ---- rack-2.2.6.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack-2.2.spec ++++++ --- /var/tmp/diff_new_pack.v2u04B/_old 2023-03-15 18:56:12.604926725 +0100 +++ /var/tmp/diff_new_pack.v2u04B/_new 2023-03-15 18:56:12.604926725 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-rack-2.2 -Version: 2.2.6.3 +Version: 2.2.6.4 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} ++++++ rack-2.2.6.3.gem -> rack-2.2.6.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2023-03-02 23:55:39.000000000 +0100 +++ new/CHANGELOG.md 2023-03-13 19:09:27.000000000 +0100 @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). +## [2.2.6.4] - 2023-03-13 + +- [CVE-2023-27539] Avoid ReDoS in header parsing + ## [2.2.6.3] - 2023-03-02 - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb --- old/lib/rack/request.rb 2023-03-02 23:55:39.000000000 +0100 +++ new/lib/rack/request.rb 2023-03-13 19:09:27.000000000 +0100 @@ -572,8 +572,8 @@ end def parse_http_accept_header(header) - header.to_s.split(/\s*,\s*/).map do |part| - attribute, parameters = part.split(/\s*;\s*/, 2) + header.to_s.split(",").each(&:strip!).map do |part| + attribute, parameters = part.split(";", 2).each(&:strip!) quality = 1.0 if parameters and /\Aq=([\d.]+)/ =~ parameters quality = $1.to_f diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb --- old/lib/rack/version.rb 2023-03-02 23:55:39.000000000 +0100 +++ new/lib/rack/version.rb 2023-03-13 19:09:27.000000000 +0100 @@ -20,7 +20,7 @@ VERSION.join(".") end - RELEASE = "2.2.6.3" + RELEASE = "2.2.6.4" # Return the Rack release as a dotted string. def self.release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2023-03-02 23:55:39.000000000 +0100 +++ new/metadata 2023-03-13 19:09:27.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 2.2.6.3 + version: 2.2.6.4 platform: ruby authors: - Leah Neukirchen -autorequire: +autorequire: bindir: bin cert_chain: [] -date: 2023-03-02 00:00:00.000000000 Z +date: 2023-03-13 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: minitest @@ -169,7 +169,7 @@ changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md documentation_uri: https://rubydoc.info/github/rack/rack source_code_uri: https://github.com/rack/rack -post_install_message: +post_install_message: rdoc_options: [] require_paths: - lib @@ -184,8 +184,8 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.4.1 -signing_key: +rubygems_version: 3.0.3.1 +signing_key: specification_version: 4 summary: A modular Ruby webserver interface. test_files: []