From 5764336aa3785af8a08be7ec7b40846ec139eb6c Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Mon, 19 Apr 2010 14:14:46 -0700 Subject: [PATCH] Zbatery 0.2.1 - use a less-broken parser from Unicorn This release fixes a denial-of-service vector for deployments exposed directly to untrusted clients. The HTTP parser in Unicorn <= 0.97.0 would trip an assertion (killing the associated worker process) on invalid Content-Length headers instead of raising an exception. Since Rainbows! and Zbatery supports multiple clients per worker process, all clients connected to the worker process that hit the assertion would be aborted. Deployments behind nginx are _not_ affected by this bug, as nginx will reject clients that send invalid Content-Length headers. The status of deployments behind other HTTP-aware proxies is unknown. Deployments behind a non-HTTP-aware proxy (or no proxy at all) are certainly affected by this DoS. Users are strongly encouraged to upgrade as soon as possible, there are no other changes besides this bug fix from Rainbows! 0.91.0 nor Unicorn 0.97.0 This bug affects all previously released versions of Rainbows! and Zbatery. --- GIT-VERSION-GEN | 2 +- lib/zbatery.rb | 2 +- zbatery.gemspec | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index e36125a..2cadc89 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v0.2.0.GIT +DEF_VER=v0.2.1.GIT LF=' ' diff --git a/lib/zbatery.rb b/lib/zbatery.rb index 0b41906..75b03ba 100644 --- a/lib/zbatery.rb +++ b/lib/zbatery.rb @@ -4,7 +4,7 @@ require 'rainbows' module Zbatery # current version of Zbatery - VERSION = "0.2.0" + VERSION = "0.2.1" class << self diff --git a/zbatery.gemspec b/zbatery.gemspec index 5d84d9c..67c595b 100644 --- a/zbatery.gemspec +++ b/zbatery.gemspec @@ -50,11 +50,11 @@ Gem::Specification.new do |s| # espace-neverblock + eventmachine # async_sinatra + sinatra + eventmachine # - # rainbows 0.90.2 depends on unicorn 0.96.1, - # unicorn 0.96.0 and before had a memory leak - # that was only triggered in Rainbows!/Zbatery - s.add_dependency(%q, ["~> 0.97.0"]) - s.add_dependency(%q, [">= 0.91.0", "<= 1.0.0"]) + # rainbows 0.91.1 depends on unicorn ~> 0.97.1, previous versions of + # Unicorn were vulnerable to a remote DoS when exposed directly to + # untrusted clients (a configuration only supported by Zbatery and Rainbows!, + # Unicorn has never and will never be supported without trusted LAN clients. + s.add_dependency(%q, [">= 0.91.1", "<= 1.0.0"]) # s.licenses = %w(GPLv2 Ruby) # accessor not compatible with older RubyGems end -- 2.11.4.GIT