[#113435] [Ruby master Feature#19634] Pattern matching dynamic key — "baweaver (Brandon Weaver) via ruby-core" <ruby-core@...>
Issue #19634 has been reported by baweaver (Brandon Weaver).
6 messages
2023/05/09
[#113489] [Ruby master Bug#19642] Remove vectored read/write from `io.c`. — "ioquatix (Samuel Williams) via ruby-core" <ruby-core@...>
Issue #19642 has been reported by ioquatix (Samuel Williams).
10 messages
2023/05/15
[ruby-core:113406] [Ruby master Bug#19629] Fix for CVE-2023-28755 breaks "puppet apply" run
From:
"jeremyevans0 (Jeremy Evans) via ruby-core" <ruby-core@...>
Date:
2023-05-05 20:08:58 UTC
List:
ruby-core #113406
Issue #19629 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Third Party's Issue
In Ruby 2.7.8 and 3.0.6, URI#host returns `nil`. Ruby 3.1.4 and 3.2.2 retu=
rn `""`:
```
$ ruby32 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/ap=
t.conf.d/50unattended-upgrades").host'
""
$ ruby31 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/ap=
t.conf.d/50unattended-upgrades").host'
""
$ ruby30 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/ap=
t.conf.d/50unattended-upgrades").host'
nil
$ ruby27 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/ap=
t.conf.d/50unattended-upgrades").host'
nil
```
Not sure why the Ubuntu Ruby 2.7 behavior is different, but I would guess i=
t is due to how they backported it. You should probably report the issue t=
o the Ubuntu developers. Looking at the PuppetLabs ticket, they say basica=
lly the same thing.
----------------------------------------
Bug #19629: Fix for CVE-2023-28755 breaks "puppet apply" run
https://bugs.ruby-lang.org/issues/19629#change-102978
* Author: ManuelKiessling (Manuel Kie=DFling)
* Status: Third Party's Issue
* Priority: Normal
* ruby -v: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux-gnu]
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
(Not neccessarily a bug in Ruby - chances are I should have formatted my Pu=
ppet file URIs differently from the get-go.)
However, since yesterday I'm getting these errors when running `puppet appl=
y`:
Could not evaluate: Could not retrieve file metadata for puppet:///modules/=
unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades: Failed to ope=
n TCP connection to :8140 (Connection refused - connect(2) for "" port 8140)
I think the reason this happens now in an otherwise completely unchanged en=
vironment is that on my Ubuntu system, a new ruby2.7 package has been insta=
lled, due to CVE-2023-28755. See http://changelogs.ubuntu.com/changelogs/po=
ol/main/r/ruby2.7/ruby2.7_2.7.0-5ubuntu1.9/changelog for the backport info.
The patch info (URI.parse should set empty string in host instead of nil in=
lib/uri/rfc3986_parser.rb, raise ArgumentError with empty host url again i=
n lib/net/http/generic_request.rb.) sounds exactly like the reason I'm sudd=
enly running into this error: `puppet:///modules/unattended_upgrades/etc/ap=
t/apt.conf.d/50unattended-upgrades` is an URI with an empty hostname - or i=
s it? It's actually meant to refer to a local file, not a file on remote ho=
st ""; however, this is how it now seems to be interpreted: protocol `puppe=
t`, hostname ``, path `/modules/unattended_upgrades...`.
Because the patched code now returns `""` for the hostname instead of `nil`=
, it tries to do a hostname lookup for `""` which of course fails.
Not sure if this is an intended consequence of the patch in this specific c=
ontext, which is why I'm reporting it.
--=20
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-c=
ore.ml.ruby-lang.org/