Bug #16238
closed
Publish new WEBrick version to rubygems.org
Description
The latest security releases of Ruby include some fixes in the webrick default gem:
- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
However, as of now, the changes have not been published to rubygems:
More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.
In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or rdoc)
I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
- Status changed from Open to Assigned
- Assignee set to hsbt (Hiroshi SHIBATA)
I'm working on it now. I need to triage the changeset from ruby/ruby master.
Please wait a few days.
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
- Status changed from Assigned to Closed
Updated by rbjl (Jan Lelis) about 5 years ago
That was quick, thanks!
Updated by rbjl (Jan Lelis) about 5 years ago
I have added a short notice for people interested to https://stdgems.org/webrick/#notes
Btw, do you use a tool assisting with merging the upstream changes? If not I'd offer to build one (not totally automated, but might be helpful for standard tasks)