From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 2CB681F4BD for ; Fri, 4 Oct 2019 13:53:44 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 42DE0120AC7; Fri, 4 Oct 2019 22:53:35 +0900 (JST) Received: from o1678948x4.outbound-mail.sendgrid.net (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4]) by neon.ruby-lang.org (Postfix) with ESMTPS id 1E423120AC6 for ; Fri, 4 Oct 2019 22:53:31 +0900 (JST) Received: by filter0148p3mdw1.sendgrid.net with SMTP id filter0148p3mdw1-9030-5D974EDB-9F 2019-10-04 13:53:31.935313106 +0000 UTC m=+70526.938326946 Received: from herokuapp.com (unknown [18.212.244.163]) by ismtpd0075p1mdw1.sendgrid.net (SG) with ESMTP id JLxOk6kRQx-dVGtILIdl1g for ; Fri, 04 Oct 2019 13:53:31.919 +0000 (UTC) Date: Fri, 04 Oct 2019 13:53:31 +0000 (UTC) From: hsbt@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 70811 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 16238 X-Redmine-Issue-Author: rbjl X-Redmine-Issue-Assignee: hsbt X-Redmine-Sender: hsbt X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?9+ToIm+BmphpEzrVEr2fqVDpB0VofQNbgfqsVvtPdY1uAxO1XoVG+=2FDgF3tVGH?= =?us-ascii?Q?O58I4gmpAGW0nZTsAqoc1RiJ7glb5eTUDLDvtlE?= =?us-ascii?Q?+9YfMABkV3L2sMqZSBSM1KqUToY1DUk5Z5ZEi9k?= =?us-ascii?Q?v40DnMkl0pv22tTFuieeHcISfNfLR4IguJqjZhD?= =?us-ascii?Q?1Of9jyKpN17m5eIXOkjx8PgZKNhKzu9DxZA=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 95224 Subject: [ruby-core:95224] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16238 has been updated by hsbt (Hiroshi SHIBATA). Status changed from Assigned to Closed Done https://rubygems.org/gems/webrick/versions/1.5.0 ---------------------------------------- Bug #16238: Publish new WEBrick version to rubygems.org https://bugs.ruby-lang.org/issues/16238#change-81897 * Author: rbjl (Jan Lelis) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- The latest security releases of Ruby include some fixes in the webrick default gem: - https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ However, as of now, the changes have not been published to rubygems: - https://rubygems.org/gems/webrick More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick. In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5)) I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized -- https://bugs.ruby-lang.org/