From: mail@... Date: 2019-10-04T15:34:11+00:00 Subject: [ruby-core:95227] [Ruby master Bug#16238] Publish new WEBrick version to rubygems.org Issue #16238 has been updated by rbjl (Jan Lelis). I have added a short notice for people interested to https://stdgems.org/webrick/#notes Btw, do you use a tool assisting with merging the upstream changes? If not I'd offer to build one (not totally automated, but might be helpful for standard tasks) ---------------------------------------- Bug #16238: Publish new WEBrick version to rubygems.org https://bugs.ruby-lang.org/issues/16238#change-81901 * Author: rbjl (Jan Lelis) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- The latest security releases of Ruby include some fixes in the webrick default gem: - https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ However, as of now, the changes have not been published to rubygems: - https://rubygems.org/gems/webrick More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick. In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5)) I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized -- https://bugs.ruby-lang.org/ Unsubscribe: