* [ruby-core:95222] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
@ 2019-10-04 13:22 ` mail
2019-10-04 13:41 ` [ruby-core:95223] " hsbt
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: mail @ 2019-10-04 13:22 UTC (permalink / raw)
To: ruby-core
Issue #16238 has been reported by rbjl (Jan Lelis).
----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238
* Author: rbjl (Jan Lelis)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v:
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
- https://rubygems.org/gems/webrick
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:95223] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
2019-10-04 13:22 ` [ruby-core:95222] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org mail
@ 2019-10-04 13:41 ` hsbt
2019-10-04 13:53 ` [ruby-core:95224] " hsbt
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: hsbt @ 2019-10-04 13:41 UTC (permalink / raw)
To: ruby-core
Issue #16238 has been updated by hsbt (Hiroshi SHIBATA).
Assignee set to hsbt (Hiroshi SHIBATA)
Status changed from Open to Assigned
I'm working on it now. I need to triage the changeset from ruby/ruby master.
Please wait a few days.
----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238#change-81896
* Author: rbjl (Jan Lelis)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v:
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
- https://rubygems.org/gems/webrick
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:95224] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
2019-10-04 13:22 ` [ruby-core:95222] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org mail
2019-10-04 13:41 ` [ruby-core:95223] " hsbt
@ 2019-10-04 13:53 ` hsbt
2019-10-04 13:58 ` [ruby-core:95225] " mail
2019-10-04 15:34 ` [ruby-core:95227] " mail
4 siblings, 0 replies; 5+ messages in thread
From: hsbt @ 2019-10-04 13:53 UTC (permalink / raw)
To: ruby-core
Issue #16238 has been updated by hsbt (Hiroshi SHIBATA).
Status changed from Assigned to Closed
Done
https://rubygems.org/gems/webrick/versions/1.5.0
----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238#change-81897
* Author: rbjl (Jan Lelis)
* Status: Closed
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v:
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
- https://rubygems.org/gems/webrick
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:95225] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
` (2 preceding siblings ...)
2019-10-04 13:53 ` [ruby-core:95224] " hsbt
@ 2019-10-04 13:58 ` mail
2019-10-04 15:34 ` [ruby-core:95227] " mail
4 siblings, 0 replies; 5+ messages in thread
From: mail @ 2019-10-04 13:58 UTC (permalink / raw)
To: ruby-core
Issue #16238 has been updated by rbjl (Jan Lelis).
That was quick, thanks!
----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238#change-81898
* Author: rbjl (Jan Lelis)
* Status: Closed
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v:
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
- https://rubygems.org/gems/webrick
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:95227] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
` (3 preceding siblings ...)
2019-10-04 13:58 ` [ruby-core:95225] " mail
@ 2019-10-04 15:34 ` mail
4 siblings, 0 replies; 5+ messages in thread
From: mail @ 2019-10-04 15:34 UTC (permalink / raw)
To: ruby-core
Issue #16238 has been updated by rbjl (Jan Lelis).
I have added a short notice for people interested to https://stdgems.org/webrick/#notes
Btw, do you use a tool assisting with merging the upstream changes? If not I'd offer to build one (not totally automated, but might be helpful for standard tasks)
----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238#change-81901
* Author: rbjl (Jan Lelis)
* Status: Closed
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v:
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
- https://rubygems.org/gems/webrick
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-10-04 15:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-16238.20191004132159@ruby-lang.org>
2019-10-04 13:22 ` [ruby-core:95222] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org mail
2019-10-04 13:41 ` [ruby-core:95223] " hsbt
2019-10-04 13:53 ` [ruby-core:95224] " hsbt
2019-10-04 13:58 ` [ruby-core:95225] " mail
2019-10-04 15:34 ` [ruby-core:95227] " mail
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).