Hello community, here is the log from the commit of package rubygem-sinatra for openSUSE:Factory checked in at 2018-06-02 12:14:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-sinatra (Old) and /work/SRC/openSUSE:Factory/.rubygem-sinatra.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-sinatra" Sat Jun 2 12:14:41 2018 rev:6 rq:613467 version:2.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-sinatra/rubygem-sinatra.changes 2018-02-22 15:03:13.208333076 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-sinatra.new/rubygem-sinatra.changes 2018-06-02 12:14:59.357737584 +0200 @@ -1,0 +2,6 @@ +Fri Jun 1 11:16:24 UTC 2018 - kbabi...@suse.com + +- Added CVE-2018-11627.patch: Fixed an XSS issue in base.rb via 400 + Bad Request page (bsc#1095529 CVE-2018-11627) + +------------------------------------------------------------------- New: ---- CVE-2018-11627.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-sinatra.spec ++++++ --- /var/tmp/diff_new_pack.oNADPe/_old 2018-06-02 12:15:00.829683594 +0200 +++ /var/tmp/diff_new_pack.oNADPe/_new 2018-06-02 12:15:00.833683447 +0200 @@ -36,6 +36,9 @@ Url: http://www.sinatrarb.com/ Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: gem2rpm.yml +# MANUAL +Patch0: CVE-2018-11627.patch +# /MANUAL Summary: Classy web-development dressed in a DSL License: MIT Group: Development/Languages/Ruby @@ -45,6 +48,10 @@ effort. %prep +%gem_unpack +%patch0 -p1 +find -type f -print0 | xargs -0 touch -r %{S:0} +%gem_build %build ++++++ CVE-2018-11627.patch ++++++ >From 12786867d6faaceaec62c7c2cb5b0e2dc074d71a Mon Sep 17 00:00:00 2001 From: Kunpei Sakai <namusy...@gmail.com> Date: Thu, 31 May 2018 01:05:27 +0900 Subject: [PATCH] escape invalid query params, fixes #1428 --- lib/sinatra/base.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb index 6843b4d37..727078d81 100644 --- a/lib/sinatra/base.rb +++ b/lib/sinatra/base.rb @@ -78,7 +78,7 @@ def unlink? def params super rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e - raise BadRequest, "Invalid query parameters: #{e.message}" + raise BadRequest, "Invalid query parameters: #{Rack::Utils.escape_html(e.message)}" end private ++++++ gem2rpm.yml ++++++ --- /var/tmp/diff_new_pack.oNADPe/_old 2018-06-02 12:15:00.897681099 +0200 +++ /var/tmp/diff_new_pack.oNADPe/_new 2018-06-02 12:15:00.897681099 +0200 @@ -19,8 +19,8 @@ # BuildRequires: foobar # Requires: foobar # ## used by gem2rpm -# :patches: -# foo.patch: -p1 +:patches: + CVE-2018-11627.patch: -p1 # bar.patch: # ## used by gem2rpm :sources: