Package: ruby-rack | Debian Sources

Package: ruby-rack / 1.4.1-2.1+deb7u1

Metadata

Package	Version	Patches format
ruby-rack	1.4.1-2.1+deb7u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 Fix parsing performance for unquoted filenames.patch \| (download)	lib/rack/multipart.rb \| 4 2 + 2 - 0 ! test/spec_multipart.rb \| 21 21 + 0 - 0 ! 2 files changed, 23 insertions(+), 2 deletions(-)	fix parsing performance for unquoted filenames Special thanks to Paul Rogers & Eric Wong
0002 multipart parser avoid unbounded gets method.patch \| (download)	lib/rack/multipart/parser.rb \| 13 10 + 3 - 0 ! test/spec_multipart.rb \| 53 53 + 0 - 0 ! 2 files changed, 63 insertions(+), 3 deletions(-)	multipart/parser: avoid unbounded #gets method Malicious clients may send excessively long lines to trigger out-of-memory errors in a Rack web server.
0003 Reimplement auth scheme fix.patch \| (download)	lib/rack.rb \| 12 12 + 0 - 0 ! lib/rack/auth/abstract/request.rb \| 6 5 + 1 - 0 ! test/spec_auth.rb \| 57 57 + 0 - 0 ! 3 files changed, 74 insertions(+), 1 deletion(-)	reimplement auth scheme fix * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely * Checked Rails - they don't use our authorization code * Checked Warden - uses rails * Checked Omniauth - uses rails * Checked doorkeeper - users rails * Checked rack-authentication - does it's own thing * Checked warden-oauth - doesn't do headers * Checked devise - uses rails * Checked oauth2-rack - header creation only * Checked rack-oauth2-server - does it's own thing * Probably missed a bunch, but that'll have to do
0004 Prevent symlink path traversals.patch \| (download)	lib/rack/file.rb \| 17 6 + 11 - 0 ! 1 file changed, 6 insertions(+), 11 deletions(-)	prevent symlink path traversals rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
0005 Use secure_compare for hmac comparison.patch \| (download)	lib/rack/session/cookie.rb \| 2 1 + 1 - 0 ! lib/rack/utils.rb \| 12 12 + 0 - 0 ! test/spec_utils.rb \| 5 5 + 0 - 0 ! 3 files changed, 18 insertions(+), 1 deletion(-)	use secure compare for hmac comparison Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time.
0006 Fix Params_Depth.patch \| (download)	lib/rack/utils.rb \| 15 11 + 4 - 0 ! test/spec_utils.rb \| 12 12 + 0 - 0 ! 2 files changed, 23 insertions(+), 4 deletions(-)	raise an exception if the parameters are too deep CVE-2015-3225 Conflicts: lib/rack/utils.rb test/spec_utils.rb

1