From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id D92FF1F4BD for ; Fri, 4 Oct 2019 13:41:43 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id E8474120AC1; Fri, 4 Oct 2019 22:41:33 +0900 (JST) Received: from o1678948x4.outbound-mail.sendgrid.net (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4]) by neon.ruby-lang.org (Postfix) with ESMTPS id 8105B120AC0 for ; Fri, 4 Oct 2019 22:41:30 +0900 (JST) Received: by filter0086p3las1.sendgrid.net with SMTP id filter0086p3las1-460-5D974C0C-5 2019-10-04 13:41:32.125066857 +0000 UTC m=+67966.787643237 Received: from herokuapp.com (unknown [18.212.244.163]) by ismtpd0030p1mdw1.sendgrid.net (SG) with ESMTP id UQtFao0WRmGApfkW8gCang for ; Fri, 04 Oct 2019 13:41:31.932 +0000 (UTC) Date: Fri, 04 Oct 2019 13:41:32 +0000 (UTC) From: hsbt@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 70810 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 16238 X-Redmine-Issue-Author: rbjl X-Redmine-Issue-Assignee: hsbt X-Redmine-Sender: hsbt X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?9+ToIm+BmphpEzrVEr2fqVDpB0VofQNbgfqsVvtPdY2QdZDvtFc4MGpmOKEGnm?= =?us-ascii?Q?jlZs6WHKGDNKQmJ9kkFWXqogBNjrmp=2FnRlsCmVE?= =?us-ascii?Q?1Bq+7Y+2DfZj8j9Z8auoIYlF8T3hGjrB6vwSfVF?= =?us-ascii?Q?jdMhsTIAuh8u8OYlwom8bpk2zTACjfvngjxDnQZ?= =?us-ascii?Q?s5tUSHluOmKTHvUH+V4uo6E0Exnf30w3fNQ=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 95223 Subject: [ruby-core:95223] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16238 has been updated by hsbt (Hiroshi SHIBATA). Assignee set to hsbt (Hiroshi SHIBATA) Status changed from Open to Assigned I'm working on it now. I need to triage the changeset from ruby/ruby master. Please wait a few days. ---------------------------------------- Bug #16238: Publish new WEBrick version to rubygems.org https://bugs.ruby-lang.org/issues/16238#change-81896 * Author: rbjl (Jan Lelis) * Status: Assigned * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- The latest security releases of Ruby include some fixes in the webrick default gem: - https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ However, as of now, the changes have not been published to rubygems: - https://rubygems.org/gems/webrick More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick. In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5)) I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized -- https://bugs.ruby-lang.org/