commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory
checked in at 2022-04-30 22:52:41
Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1538 (New)
Package is "rubygem-puma-4"
Sat Apr 30 22:52:41 2022 rev:5 rq:974067 version:4.3.12
Changes:
--- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes
2022-02-24 18:23:33.974656711 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1538/rubygem-puma-4.changes
2022-04-30 22:52:54.912254886 +0200
@@ -1,0 +2,12 @@
+Thu Apr 28 05:42:04 UTC 2022 - Stephan Kulow
+
+updated to version 4.3.12
+ see installed History.md
+
+ ## 4.3.12 / 2022-03-30
+
+ * Security
+* Close several HTTP Request Smuggling exploits (CVE-2022-24790)
+
+
+---
Old:
puma-4.3.11.gem
New:
puma-4.3.12.gem
Other differences:
--
++ rubygem-puma-4.spec ++
--- /var/tmp/diff_new_pack.8zta1m/_old 2022-04-30 22:52:55.420255573 +0200
+++ /var/tmp/diff_new_pack.8zta1m/_new 2022-04-30 22:52:55.424255579 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-puma-4
-Version:4.3.11
+Version:4.3.12
Release:0
%define mod_name puma
%define mod_full_name %{mod_name}-%{version}
++ puma-4.3.11.gem -> puma-4.3.12.gem ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/History.md new/History.md
--- old/History.md 1980-01-01 01:00:00.0 +0100
+++ new/History.md 1980-01-01 01:00:00.0 +0100
@@ -1,3 +1,8 @@
+## 4.3.12 / 2022-03-30
+
+* Security
+ * Close several HTTP Request Smuggling exploits (CVE-2022-24790)
+
## 4.3.11 / 2022-02-11
* Security
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ext/puma_http11/extconf.rb
new/ext/puma_http11/extconf.rb
--- old/ext/puma_http11/extconf.rb 1980-01-01 01:00:00.0 +0100
+++ new/ext/puma_http11/extconf.rb 1980-01-01 01:00:00.0 +0100
@@ -22,6 +22,14 @@
# with versions after 1.1.1
have_func "TLS_server_method", "openssl/ssl.h"
have_macro "SSL_CTX_set_min_proto_version", "openssl/ssl.h"
+
+# Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated
in 3.0
+if Random.respond_to?(:bytes)
+ $defs.push("-DHAVE_RANDOM_BYTES")
+ puts "checking for Random.bytes... yes"
+else
+ puts "checking for Random.bytes... no"
+end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ext/puma_http11/mini_ssl.c
new/ext/puma_http11/mini_ssl.c
--- old/ext/puma_http11/mini_ssl.c 1980-01-01 01:00:00.0 +0100
+++ new/ext/puma_http11/mini_ssl.c 1980-01-01 01:00:00.0 +0100
@@ -62,44 +62,65 @@
return conn;
}
-DH *get_dh1024() {
- /* `openssl dhparam 1024 -C`
+DH *get_dh2048(void) {
+ /* `openssl dhparam -C 2048`
* -BEGIN DH PARAMETERS-
- * MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk
- * usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+
- * KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC
+ * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o
+ * 2NPNXqxHwsddMZ1RzvU8/jl+uhRuPWjXCFZbhET4N1vrviZM3VJhV8PPHuiVOACO
+ * y32jFd+Szx4bo2cXSK83hJ6jRd+0asP1awWjz9/06dFkrILCXMIfQLo0D8rqmppn
+ * EfDDAwuudCpM9kcDmBRAm9JsKbQ6gzZWjkc5+QWSaQofojIHbjvj3xzguaCJn+oQ
+ * vHWM+hsAnaOgEwCyeZ3xqs+/5lwSbkE/tqJW98cEZGygBUVo9jxZRZx6KOfjpdrb
+ * yenO9LJr/qtyrZB31WJbqxI0m0AKTAO8UwIBAg==
* -END DH PARAMETERS-
*/
- static unsigned char dh1024_p[] = {
-0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C,
-0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5,
-0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E,
-0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74,
-0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0,
-0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4,
-0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0,
-0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1,
-0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71,
-0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67,
-0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B
+ static unsigned char dh2048_p[] = {
+0x8E, 0x68, 0x75, 0xB9, 0x01, 0xDD, 0x4D, 0xFC, 0x4E, 0xCB,
+0x11, 0x1B, 0x28, 0x05, 0x77, 0xD1, 0xF5, 0x1F, 0xCE, 0xA3,
+0x03, 0x17,
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory
checked in at 2022-02-24 18:20:18
Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1958 (New)
Package is "rubygem-puma-4"
Thu Feb 24 18:20:18 2022 rev:4 rq:956119 version:4.3.11
Changes:
--- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes
2022-02-07 23:38:50.198138085 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1958/rubygem-puma-4.changes
2022-02-24 18:23:33.974656711 +0100
@@ -1,0 +2,12 @@
+Tue Feb 15 07:34:38 UTC 2022 - Stephan Kulow
+
+updated to version 4.3.11
+ see installed History.md
+
+ ## 4.3.11 / 2022-02-11
+
+ * Security
+* Always close the response body (GHSA-rmj8-8hhh-gv5h)
+
+
+---
Old:
puma-4.3.10.gem
New:
puma-4.3.11.gem
Other differences:
--
++ rubygem-puma-4.spec ++
--- /var/tmp/diff_new_pack.dtThdA/_old 2022-02-24 18:23:34.410656597 +0100
+++ /var/tmp/diff_new_pack.dtThdA/_new 2022-02-24 18:23:34.414656596 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-puma-4
-Version:4.3.10
+Version:4.3.11
Release:0
%define mod_name puma
%define mod_full_name %{mod_name}-%{version}
++ puma-4.3.10.gem -> puma-4.3.11.gem ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/History.md new/History.md
--- old/History.md 2021-10-13 01:12:41.0 +0200
+++ new/History.md 1980-01-01 01:00:00.0 +0100
@@ -1,3 +1,8 @@
+## 4.3.11 / 2022-02-11
+
+* Security
+ * Always close the response body (GHSA-rmj8-8hhh-gv5h)
+
## 4.3.10 / 2021-10-12
* Bugfixes
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb
--- old/lib/puma/const.rb 2021-10-13 01:12:41.0 +0200
+++ new/lib/puma/const.rb 1980-01-01 01:00:00.0 +0100
@@ -100,7 +100,7 @@
# too taxing on performance.
module Const
-PUMA_VERSION = VERSION = "4.3.10".freeze
+PUMA_VERSION = VERSION = "4.3.11".freeze
CODE_NAME = "Mysterious Traveller".freeze
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb
--- old/lib/puma/server.rb 2021-10-13 01:12:41.0 +0200
+++ new/lib/puma/server.rb 1980-01-01 01:00:00.0 +0100
@@ -873,11 +873,14 @@
end
ensure
-uncork_socket client
+begin
+ uncork_socket client
-body.close
-req.tempfile.unlink if req.tempfile
-res_body.close if res_body.respond_to? :close
+ body.close
+ req.tempfile.unlink if req.tempfile
+ensure
+ res_body.close if res_body.respond_to? :close
+end
after_reply.each { |o| o.call }
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata2021-10-13 01:12:41.0 +0200
+++ new/metadata1980-01-01 01:00:00.0 +0100
@@ -1,24 +1,24 @@
--- !ruby/object:Gem::Specification
name: puma
version: !ruby/object:Gem::Version
- version: 4.3.10
+ version: 4.3.11
platform: ruby
authors:
- Evan Phoenix
autorequire:
bindir: bin
cert_chain: []
-date: 2021-10-12 00:00:00.0 Z
+date: 1980-01-01 00:00:00.0 Z
dependencies:
- !ruby/object:Gem::Dependency
+ name: nio4r
requirement: !ruby/object:Gem::Requirement
requirements:
- - "~>"
- !ruby/object:Gem::Version
version: '2.0'
- name: nio4r
- prerelease: false
type: :runtime
+ prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - "~>"
@@ -136,7 +136,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.26
signing_key:
specification_version: 4
summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1
server for
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory
checked in at 2022-02-07 23:37:47
Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1898 (New)
Package is "rubygem-puma-4"
Mon Feb 7 23:37:47 2022 rev:3 rq:949095 version:4.3.10
Changes:
--- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes
2021-07-02 13:28:44.524167034 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.1898/rubygem-puma-4.changes
2022-02-07 23:38:50.198138085 +0100
@@ -1,0 +2,17 @@
+Tue Jan 25 07:20:39 UTC 2022 - Stephan Kulow
+
+updated to version 4.3.10
+ see installed History.md
+
+ ## 4.3.10 / 2021-10-12
+
+ * Bugfixes
+* Allow UTF-8 in HTTP header values
+
+ ## 4.3.9 / 2021-10-12
+
+ * Security
+* Do not allow LF as a line ending in a header (CVE-2021-41136)
+
+
+---
Old:
puma-4.3.8.gem
New:
puma-4.3.10.gem
Other differences:
--
++ rubygem-puma-4.spec ++
--- /var/tmp/diff_new_pack.DblkXi/_old 2022-02-07 23:38:50.674134827 +0100
+++ /var/tmp/diff_new_pack.DblkXi/_new 2022-02-07 23:38:50.682134773 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-puma-4
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-puma-4
-Version:4.3.8
+Version:4.3.10
Release:0
%define mod_name puma
%define mod_full_name %{mod_name}-%{version}
++ puma-4.3.8.gem -> puma-4.3.10.gem ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/History.md new/History.md
--- old/History.md 2021-05-11 16:53:19.0 +0200
+++ new/History.md 2021-10-13 01:12:41.0 +0200
@@ -1,3 +1,13 @@
+## 4.3.10 / 2021-10-12
+
+* Bugfixes
+ * Allow UTF-8 in HTTP header values
+
+## 4.3.9 / 2021-10-12
+
+* Security
+ * Do not allow LF as a line ending in a header (CVE-2021-41136)
+
## 4.3.8 / 2021-05-11
* Security
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ext/puma_http11/http11_parser.c
new/ext/puma_http11/http11_parser.c
--- old/ext/puma_http11/http11_parser.c 2021-05-11 16:53:19.0 +0200
+++ new/ext/puma_http11/http11_parser.c 2021-10-13 01:12:41.0 +0200
@@ -430,7 +430,13 @@
switch( (*p) ) {
case 13: goto tr26;
case 32: goto tr27;
+ case 127: goto st0;
}
+ if ( (*p) > 8 ) {
+ if ( 10 <= (*p) && (*p) <= 31 )
+ goto st0;
+ } else if ( (*p) >= 0 )
+ goto st0;
goto tr25;
tr25:
#line 44 "ext/puma_http11/http11_parser.rl"
@@ -440,9 +446,16 @@
if ( ++p == pe )
goto _test_eof19;
case 19:
-#line 442 "ext/puma_http11/http11_parser.c"
- if ( (*p) == 13 )
- goto tr29;
+#line 448 "ext/puma_http11/http11_parser.c"
+ switch( (*p) ) {
+ case 13: goto tr29;
+ case 127: goto st0;
+ }
+ if ( (*p) > 8 ) {
+ if ( 10 <= (*p) && (*p) <= 31 )
+ goto st0;
+ } else if ( (*p) >= 0 )
+ goto st0;
goto st19;
tr9:
#line 51 "ext/puma_http11/http11_parser.rl"
@@ -486,7 +499,7 @@
if ( ++p == pe )
goto _test_eof20;
case 20:
-#line 488 "ext/puma_http11/http11_parser.c"
+#line 501 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr31;
case 60: goto st0;
@@ -507,7 +520,7 @@
if ( ++p == pe )
goto _test_eof21;
case 21:
-#line 509 "ext/puma_http11/http11_parser.c"
+#line 522 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr33;
case 60: goto st0;
@@ -528,7 +541,7 @@
if ( ++p == pe )
goto _test_eof22;
case 22:
-#line 530 "ext/puma_http11/http11_parser.c"
+#line 543 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 43: goto st22;
case 58: goto st23;
@@ -553,7 +566,7 @@
if ( ++p == pe )
goto _test_eof23;
case 23:
-#line 555 "ext/puma_http11/http11_parser.c"
+#line 568 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr8;
case 34: goto st0;
@@ -573,7 +586,7
commit rubygem-puma-4 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-puma-4 for openSUSE:Factory
checked in at 2021-07-02 13:27:45
Comparing /work/SRC/openSUSE:Factory/rubygem-puma-4 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.2625 (New)
Package is "rubygem-puma-4"
Fri Jul 2 13:27:45 2021 rev:2 rq:903528 version:4.3.8
Changes:
--- /work/SRC/openSUSE:Factory/rubygem-puma-4/rubygem-puma-4.changes
2021-02-23 20:23:00.147793494 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-puma-4.new.2625/rubygem-puma-4.changes
2021-07-02 13:28:44.524167034 +0200
@@ -1,0 +2,12 @@
+Thu Jun 24 17:48:15 UTC 2021 - Stephan Kulow
+
+updated to version 4.3.8
+ see installed History.md
+
+ ## 4.3.8 / 2021-05-11
+
+ * Security
+* Close keepalive connections after the maximum number of fast inlined
requests (#2625)
+
+
+---
Old:
puma-4.3.7.gem
New:
puma-4.3.8.gem
Other differences:
--
++ rubygem-puma-4.spec ++
--- /var/tmp/diff_new_pack.PvBDKp/_old 2021-07-02 13:28:44.896164148 +0200
+++ /var/tmp/diff_new_pack.PvBDKp/_new 2021-07-02 13:28:44.896164148 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-puma-4
-Version:4.3.7
+Version:4.3.8
Release:0
%define mod_name puma
%define mod_full_name %{mod_name}-%{version}
++ puma-4.3.7.gem -> puma-4.3.8.gem ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/History.md new/History.md
--- old/History.md 2020-11-30 17:52:43.0 +0100
+++ new/History.md 2021-05-11 16:53:19.0 +0200
@@ -1,3 +1,8 @@
+## 4.3.8 / 2021-05-11
+
+* Security
+ * Close keepalive connections after the maximum number of fast inlined
requests (#2625)
+
## 4.3.7 / 2020-11-30
* Bugfixes
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb
--- old/lib/puma/const.rb 2020-11-30 17:52:43.0 +0100
+++ new/lib/puma/const.rb 2021-05-11 16:53:19.0 +0200
@@ -100,7 +100,7 @@
# too taxing on performance.
module Const
-PUMA_VERSION = VERSION = "4.3.7".freeze
+PUMA_VERSION = VERSION = "4.3.8".freeze
CODE_NAME = "Mysterious Traveller".freeze
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb
--- old/lib/puma/server.rb 2020-11-30 17:52:43.0 +0100
+++ new/lib/puma/server.rb 2021-05-11 16:53:19.0 +0200
@@ -483,15 +483,20 @@
requests += 1
-check_for_more_data = @status == :run
+# Closing keepalive sockets after they've made a reasonable
+# number of requests allows Puma to service many connections
+# fairly, even when the number of concurrent connections exceeds
+# the size of the threadpool. It also allows cluster mode Pumas
+# to keep load evenly distributed across workers, because clients
+# are randomly assigned a new worker when opening a new connection.
+#
+# Previously, Puma would kick connections in this conditional back
+# to the reactor. However, because this causes the todo set to
increase
+# in size, the wait_until_full mutex would never unlock, leaving
+# any additional connections unserviced.
+break if requests >= MAX_FAST_INLINE
-if requests >= MAX_FAST_INLINE
- # This will mean that reset will only try to use the data it
already
- # has buffered and won't try to read more data. What this means
is that
- # every client, independent of their request speed, gets treated
like a slow
- # one once every MAX_FAST_INLINE requests.
- check_for_more_data = false
-end
+check_for_more_data = @status == :run
unless client.reset(check_for_more_data)
close_socket = false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata2020-11-30 17:52:43.0 +0100
+++ new/metadata2021-05-11 16:53:19.0 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: puma
version: !ruby/object:Gem::Version
- version: 4.3.7
+ version: 4.3.8
platform: ruby
authors:
- Evan Phoenix
autorequire:
bindir: bin
cert_chain: []
-date: 2020-11-30 00
