Issue #16238 has been reported by rbjl (Jan Lelis).

----------------------------------------
Bug #16238: Publish new WEBrick version to rubygems.org
https://bugs.ruby-lang.org/issues/16238

* Author: rbjl (Jan Lelis)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The latest security releases of Ruby include some fixes in the webrick default gem:

- https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

However, as of now, the changes have not been published to rubygems:

- https://rubygems.org/gems/webrick

More confusingly, the version number of webrick has not be changed yet: https://github.com/ruby/ruby/blob/v2_6_5/lib/webrick/version.rb (still 1.4.2 as before the security patches). This is problematic, because now multiple versions of version 1.4.2 of webrick exist... It also prevents people from quickly resolving the webrick-related security issue by just installing the new version of webrick.

In the past, security patches often led to a fourth-place-version-number (see for example, rubygems itself, or [rdoc](https://github.com/ruby/ruby/commit/8c57255f87e2a70a033d9b1e2bdd474bc1ba6cc5))

I suggest that a new version of webrick should be released to rubygems. I am also curious about how the process of dealing with similar issues in the future can be optimized



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>