commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory checked in at 2022-04-30 22:52:41 Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1538 (New) Package is "rubygem-puma-4" Sat Apr 30 22:52:41 2022 rev:5 rq:974067 version:4.3.12 Changes: --- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes 2022-02-24 18:23:33.974656711 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1538/rubygem-puma-4.changes 2022-04-30 22:52:54.912254886 +0200 @@ -1,0 +2,12 @@ +Thu Apr 28 05:42:04 UTC 2022 - Stephan Kulow + +updated to version 4.3.12 + see installed History.md + + ## 4.3.12 / 2022-03-30 + + * Security +* Close several HTTP Request Smuggling exploits (CVE-2022-24790) + + +--- Old: puma-4.3.11.gem New: puma-4.3.12.gem Other differences: -- ++ rubygem-puma-4.spec ++ --- /var/tmp/diff_new_pack.8zta1m/_old 2022-04-30 22:52:55.420255573 +0200 +++ /var/tmp/diff_new_pack.8zta1m/_new 2022-04-30 22:52:55.424255579 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-puma-4 -Version:4.3.11 +Version:4.3.12 Release:0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++ puma-4.3.11.gem -> puma-4.3.12.gem ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 1980-01-01 01:00:00.0 +0100 +++ new/History.md 1980-01-01 01:00:00.0 +0100 @@ -1,3 +1,8 @@ +## 4.3.12 / 2022-03-30 + +* Security + * Close several HTTP Request Smuggling exploits (CVE-2022-24790) + ## 4.3.11 / 2022-02-11 * Security Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ext/puma_http11/extconf.rb new/ext/puma_http11/extconf.rb --- old/ext/puma_http11/extconf.rb 1980-01-01 01:00:00.0 +0100 +++ new/ext/puma_http11/extconf.rb 1980-01-01 01:00:00.0 +0100 @@ -22,6 +22,14 @@ # with versions after 1.1.1 have_func "TLS_server_method", "openssl/ssl.h" have_macro "SSL_CTX_set_min_proto_version", "openssl/ssl.h" + +# Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0 +if Random.respond_to?(:bytes) + $defs.push("-DHAVE_RANDOM_BYTES") + puts "checking for Random.bytes... yes" +else + puts "checking for Random.bytes... no" +end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ext/puma_http11/mini_ssl.c new/ext/puma_http11/mini_ssl.c --- old/ext/puma_http11/mini_ssl.c 1980-01-01 01:00:00.0 +0100 +++ new/ext/puma_http11/mini_ssl.c 1980-01-01 01:00:00.0 +0100 @@ -62,44 +62,65 @@ return conn; } -DH *get_dh1024() { - /* `openssl dhparam 1024 -C` +DH *get_dh2048(void) { + /* `openssl dhparam -C 2048` * -BEGIN DH PARAMETERS- - * MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk - * usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+ - * KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC + * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o + * 2NPNXqxHwsddMZ1RzvU8/jl+uhRuPWjXCFZbhET4N1vrviZM3VJhV8PPHuiVOACO + * y32jFd+Szx4bo2cXSK83hJ6jRd+0asP1awWjz9/06dFkrILCXMIfQLo0D8rqmppn + * EfDDAwuudCpM9kcDmBRAm9JsKbQ6gzZWjkc5+QWSaQofojIHbjvj3xzguaCJn+oQ + * vHWM+hsAnaOgEwCyeZ3xqs+/5lwSbkE/tqJW98cEZGygBUVo9jxZRZx6KOfjpdrb + * yenO9LJr/qtyrZB31WJbqxI0m0AKTAO8UwIBAg== * -END DH PARAMETERS- */ - static unsigned char dh1024_p[] = { -0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C, -0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5, -0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E, -0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74, -0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0, -0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4, -0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0, -0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1, -0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71, -0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67, -0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B + static unsigned char dh2048_p[] = { +0x8E, 0x68, 0x75, 0xB9, 0x01, 0xDD, 0x4D, 0xFC, 0x4E, 0xCB, +0x11, 0x1B, 0x28, 0x05, 0x77, 0xD1, 0xF5, 0x1F, 0xCE, 0xA3, +0x03, 0x17,
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory checked in at 2022-02-24 18:20:18 Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1958 (New) Package is "rubygem-puma-4" Thu Feb 24 18:20:18 2022 rev:4 rq:956119 version:4.3.11 Changes: --- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes 2022-02-07 23:38:50.198138085 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1958/rubygem-puma-4.changes 2022-02-24 18:23:33.974656711 +0100 @@ -1,0 +2,12 @@ +Tue Feb 15 07:34:38 UTC 2022 - Stephan Kulow + +updated to version 4.3.11 + see installed History.md + + ## 4.3.11 / 2022-02-11 + + * Security +* Always close the response body (GHSA-rmj8-8hhh-gv5h) + + +--- Old: puma-4.3.10.gem New: puma-4.3.11.gem Other differences: -- ++ rubygem-puma-4.spec ++ --- /var/tmp/diff_new_pack.dtThdA/_old 2022-02-24 18:23:34.410656597 +0100 +++ /var/tmp/diff_new_pack.dtThdA/_new 2022-02-24 18:23:34.414656596 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-puma-4 -Version:4.3.10 +Version:4.3.11 Release:0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++ puma-4.3.10.gem -> puma-4.3.11.gem ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 2021-10-13 01:12:41.0 +0200 +++ new/History.md 1980-01-01 01:00:00.0 +0100 @@ -1,3 +1,8 @@ +## 4.3.11 / 2022-02-11 + +* Security + * Always close the response body (GHSA-rmj8-8hhh-gv5h) + ## 4.3.10 / 2021-10-12 * Bugfixes Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb --- old/lib/puma/const.rb 2021-10-13 01:12:41.0 +0200 +++ new/lib/puma/const.rb 1980-01-01 01:00:00.0 +0100 @@ -100,7 +100,7 @@ # too taxing on performance. module Const -PUMA_VERSION = VERSION = "4.3.10".freeze +PUMA_VERSION = VERSION = "4.3.11".freeze CODE_NAME = "Mysterious Traveller".freeze PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb --- old/lib/puma/server.rb 2021-10-13 01:12:41.0 +0200 +++ new/lib/puma/server.rb 1980-01-01 01:00:00.0 +0100 @@ -873,11 +873,14 @@ end ensure -uncork_socket client +begin + uncork_socket client -body.close -req.tempfile.unlink if req.tempfile -res_body.close if res_body.respond_to? :close + body.close + req.tempfile.unlink if req.tempfile +ensure + res_body.close if res_body.respond_to? :close +end after_reply.each { |o| o.call } end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata2021-10-13 01:12:41.0 +0200 +++ new/metadata1980-01-01 01:00:00.0 +0100 @@ -1,24 +1,24 @@ --- !ruby/object:Gem::Specification name: puma version: !ruby/object:Gem::Version - version: 4.3.10 + version: 4.3.11 platform: ruby authors: - Evan Phoenix autorequire: bindir: bin cert_chain: [] -date: 2021-10-12 00:00:00.0 Z +date: 1980-01-01 00:00:00.0 Z dependencies: - !ruby/object:Gem::Dependency + name: nio4r requirement: !ruby/object:Gem::Requirement requirements: - - "~>" - !ruby/object:Gem::Version version: '2.0' - name: nio4r - prerelease: false type: :runtime + prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - "~>" @@ -136,7 +136,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.1.6 +rubygems_version: 3.2.26 signing_key: specification_version: 4 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory checked in at 2022-02-07 23:37:47 Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1898 (New) Package is "rubygem-puma-4" Mon Feb 7 23:37:47 2022 rev:3 rq:949095 version:4.3.10 Changes: --- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes 2021-07-02 13:28:44.524167034 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1898/rubygem-puma-4.changes 2022-02-07 23:38:50.198138085 +0100 @@ -1,0 +2,17 @@ +Tue Jan 25 07:20:39 UTC 2022 - Stephan Kulow + +updated to version 4.3.10 + see installed History.md + + ## 4.3.10 / 2021-10-12 + + * Bugfixes +* Allow UTF-8 in HTTP header values + + ## 4.3.9 / 2021-10-12 + + * Security +* Do not allow LF as a line ending in a header (CVE-2021-41136) + + +--- Old: puma-4.3.8.gem New: puma-4.3.10.gem Other differences: -- ++ rubygem-puma-4.spec ++ --- /var/tmp/diff_new_pack.DblkXi/_old 2022-02-07 23:38:50.674134827 +0100 +++ /var/tmp/diff_new_pack.DblkXi/_new 2022-02-07 23:38:50.682134773 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-puma-4 # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-puma-4 -Version:4.3.8 +Version:4.3.10 Release:0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++ puma-4.3.8.gem -> puma-4.3.10.gem ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 2021-05-11 16:53:19.0 +0200 +++ new/History.md 2021-10-13 01:12:41.0 +0200 @@ -1,3 +1,13 @@ +## 4.3.10 / 2021-10-12 + +* Bugfixes + * Allow UTF-8 in HTTP header values + +## 4.3.9 / 2021-10-12 + +* Security + * Do not allow LF as a line ending in a header (CVE-2021-41136) + ## 4.3.8 / 2021-05-11 * Security Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ext/puma_http11/http11_parser.c new/ext/puma_http11/http11_parser.c --- old/ext/puma_http11/http11_parser.c 2021-05-11 16:53:19.0 +0200 +++ new/ext/puma_http11/http11_parser.c 2021-10-13 01:12:41.0 +0200 @@ -430,7 +430,13 @@ switch( (*p) ) { case 13: goto tr26; case 32: goto tr27; + case 127: goto st0; } + if ( (*p) > 8 ) { + if ( 10 <= (*p) && (*p) <= 31 ) + goto st0; + } else if ( (*p) >= 0 ) + goto st0; goto tr25; tr25: #line 44 "ext/puma_http11/http11_parser.rl" @@ -440,9 +446,16 @@ if ( ++p == pe ) goto _test_eof19; case 19: -#line 442 "ext/puma_http11/http11_parser.c" - if ( (*p) == 13 ) - goto tr29; +#line 448 "ext/puma_http11/http11_parser.c" + switch( (*p) ) { + case 13: goto tr29; + case 127: goto st0; + } + if ( (*p) > 8 ) { + if ( 10 <= (*p) && (*p) <= 31 ) + goto st0; + } else if ( (*p) >= 0 ) + goto st0; goto st19; tr9: #line 51 "ext/puma_http11/http11_parser.rl" @@ -486,7 +499,7 @@ if ( ++p == pe ) goto _test_eof20; case 20: -#line 488 "ext/puma_http11/http11_parser.c" +#line 501 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr31; case 60: goto st0; @@ -507,7 +520,7 @@ if ( ++p == pe ) goto _test_eof21; case 21: -#line 509 "ext/puma_http11/http11_parser.c" +#line 522 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr33; case 60: goto st0; @@ -528,7 +541,7 @@ if ( ++p == pe ) goto _test_eof22; case 22: -#line 530 "ext/puma_http11/http11_parser.c" +#line 543 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 43: goto st22; case 58: goto st23; @@ -553,7 +566,7 @@ if ( ++p == pe ) goto _test_eof23; case 23: -#line 555 "ext/puma_http11/http11_parser.c" +#line 568 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr8; case 34: goto st0; @@ -573,7 +586,7
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory checked in at 2021-07-02 13:27:45 Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.2625 (New) Package is "rubygem-puma-4" Fri Jul 2 13:27:45 2021 rev:2 rq:903528 version:4.3.8 Changes: --- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes 2021-02-23 20:23:00.147793494 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.2625/rubygem-puma-4.changes 2021-07-02 13:28:44.524167034 +0200 @@ -1,0 +2,12 @@ +Thu Jun 24 17:48:15 UTC 2021 - Stephan Kulow + +updated to version 4.3.8 + see installed History.md + + ## 4.3.8 / 2021-05-11 + + * Security +* Close keepalive connections after the maximum number of fast inlined requests (#2625) + + +--- Old: puma-4.3.7.gem New: puma-4.3.8.gem Other differences: -- ++ rubygem-puma-4.spec ++ --- /var/tmp/diff_new_pack.PvBDKp/_old 2021-07-02 13:28:44.896164148 +0200 +++ /var/tmp/diff_new_pack.PvBDKp/_new 2021-07-02 13:28:44.896164148 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-puma-4 -Version:4.3.7 +Version:4.3.8 Release:0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++ puma-4.3.7.gem -> puma-4.3.8.gem ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 2020-11-30 17:52:43.0 +0100 +++ new/History.md 2021-05-11 16:53:19.0 +0200 @@ -1,3 +1,8 @@ +## 4.3.8 / 2021-05-11 + +* Security + * Close keepalive connections after the maximum number of fast inlined requests (#2625) + ## 4.3.7 / 2020-11-30 * Bugfixes Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb --- old/lib/puma/const.rb 2020-11-30 17:52:43.0 +0100 +++ new/lib/puma/const.rb 2021-05-11 16:53:19.0 +0200 @@ -100,7 +100,7 @@ # too taxing on performance. module Const -PUMA_VERSION = VERSION = "4.3.7".freeze +PUMA_VERSION = VERSION = "4.3.8".freeze CODE_NAME = "Mysterious Traveller".freeze PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb --- old/lib/puma/server.rb 2020-11-30 17:52:43.0 +0100 +++ new/lib/puma/server.rb 2021-05-11 16:53:19.0 +0200 @@ -483,15 +483,20 @@ requests += 1 -check_for_more_data = @status == :run +# Closing keepalive sockets after they've made a reasonable +# number of requests allows Puma to service many connections +# fairly, even when the number of concurrent connections exceeds +# the size of the threadpool. It also allows cluster mode Pumas +# to keep load evenly distributed across workers, because clients +# are randomly assigned a new worker when opening a new connection. +# +# Previously, Puma would kick connections in this conditional back +# to the reactor. However, because this causes the todo set to increase +# in size, the wait_until_full mutex would never unlock, leaving +# any additional connections unserviced. +break if requests >= MAX_FAST_INLINE -if requests >= MAX_FAST_INLINE - # This will mean that reset will only try to use the data it already - # has buffered and won't try to read more data. What this means is that - # every client, independent of their request speed, gets treated like a slow - # one once every MAX_FAST_INLINE requests. - check_for_more_data = false -end +check_for_more_data = @status == :run unless client.reset(check_for_more_data) close_socket = false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata2020-11-30 17:52:43.0 +0100 +++ new/metadata2021-05-11 16:53:19.0 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: puma version: !ruby/object:Gem::Version - version: 4.3.7 + version: 4.3.8 platform: ruby authors: - Evan Phoenix autorequire: bindir: bin cert_chain: [] -date: 2020-11-30 00