From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-3.9 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 3C65D1F4BD for ; Fri, 4 Oct 2019 15:34:22 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 998CA120AD1; Sat, 5 Oct 2019 00:34:12 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 839D2120AD0 for ; Sat, 5 Oct 2019 00:34:09 +0900 (JST) Received: by filter0096p3las1.sendgrid.net with SMTP id filter0096p3las1-30892-5D976673-C 2019-10-04 15:34:11.115241642 +0000 UTC m=+75019.992835438 Received: from herokuapp.com (unknown [18.212.244.163]) by ismtpd0025p1mdw1.sendgrid.net (SG) with ESMTP id YM9zfLs_RtyqwxYQn33pLQ for ; Fri, 04 Oct 2019 15:34:11.048 +0000 (UTC) Date: Fri, 04 Oct 2019 15:34:11 +0000 (UTC) From: mail@janlelis.de Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 70814 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 16238 X-Redmine-Issue-Author: rbjl X-Redmine-Issue-Assignee: hsbt X-Redmine-Sender: rbjl X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?BkedJNkMkQqQSj0E7lIkUPSj+6n9SlCMaBIhxNDO1663PNZgPIKP4Fu+DKbuzF?= =?us-ascii?Q?d1kbwiMyu0HnVBReuKa9YTGFDZxZwOWykGtzIFb?= =?us-ascii?Q?mWcwcTQGypNl=2FXJEnZHLNMdkQA08s=2FEUGe3ubrV?= =?us-ascii?Q?1Fi1gQQ=2FQCaGly7jfFs+zbdtmQgdYZ3fpLLqtD3?= =?us-ascii?Q?2Vex6JfIuQeogTC6uaMbvONc8P=2Fq3Ykev4A=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 95227 Subject: [ruby-core:95227] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16238 has been updated by rbjl (Jan Lelis). I have added a short notice for people interested to https://stdgems.org/webrick/#notes Btw, do you use a tool assisting with merging the upstream changes? If not I'd offer to build one (not totally automated, but might be helpful for standard tasks) ---------------------------------------- Bug #16238: Publish new WEBrick version to rubygems.org https://bugs.ruby-lang.org/issues/16238#change-81901 * Author: rbjl (Jan Lelis) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- The latest security releases of Ruby include some fixes in the webrick default gem: - https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ However, as of now, the changes have not been published to rubygems: - https://rubygems.org/gems/webrick More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick. In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5)) I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized -- https://bugs.ruby-lang.org/