Your message dated Fri, 26 Aug 2022 17:32:55 +0000 with message-id <e1ordcr-003q1t...@fasolo.debian.org> and subject line Bug#977750: fixed in ruby-http-parser.rb 0.6.0-4+deb10u1 has caused the Debian Bug report #977750, regarding ruby-http-parser.rb: Upcoming test suite regression with http-parser 2.9.4 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 977750: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977750 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ruby-http-parser.rb Version: 0.6.0-5+b1 Severity: important Tags: upstream Forwarded: https://github.com/tmm1/http_parser.rb/issues/68 Dear Maintainer, the http-parser library will see an update to 2.9.4 (currently in unstable: 2.9.2) fairly soon, it fixes a security issue¹. During a regression check however I noticed your package will no longer build in unstable due to a failing test: | Failures: | | 1) HTTP::Parser should parse request: post identity body world | Failure/Error: @parser << test['raw'] | | HTTP::Parser::Error: | Could not parse data entirely (116 != 122) | # ./spec/parser_spec.rb:317:in `<<' | # ./spec/parser_spec.rb:317:in `block (4 levels) in <top (required)>' You can verify by re-building your package using the http-parser version available in experimental (2.9.3). Root cause is a stricter checking of HTTP request headers in http-parser. This is a direct result of the fix, so this will affect stable as well, more on that below. There's already a bug report upstream (filed by yours truly): https://github.com/tmm1/http_parser.rb/issues/68 Please follow closely and upload a new version as soon as a fix is available. An alternative fix was to enable the "lenient" mode for that test - but it seems that http-parser feature is not available in the Ruby bindings. Once http-parser 2.9.4 reaches unstable, I'll raise the bug severity and prepare a NMU to prevent your package from falling out of testing. Having issues handled by the maintainers themselves is still my preferred way of action, though. After that I will prepare a fixed http-parser for stable (10, "buster") as well. This will forseeable affect the stable version of your package, too. I'll do according checks and get back to you then. Kind regards, Christoph ¹ https://security-tracker.debian.org/tracker/CVE-2019-15605
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: ruby-http-parser.rb Source-Version: 0.6.0-4+deb10u1 Done: Adrian Bunk <b...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-http-parser.rb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 977...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <b...@debian.org> (supplier of updated ruby-http-parser.rb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 25 Aug 2022 21:52:11 +0300 Source: ruby-http-parser.rb Architecture: source Version: 0.6.0-4+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Adrian Bunk <b...@debian.org> Closes: 977750 Changes: ruby-http-parser.rb (0.6.0-4+deb10u1) buster; urgency=medium . * Non-maintainer upload. * Relax "post identity body world" test to fix FTBFS with the CVE-2019-15605 fix in http-parser. (Closes: #977750) Checksums-Sha1: 9498603c83d66eed76a982b810074fba1e3a4172 2346 ruby-http-parser.rb_0.6.0-4+deb10u1.dsc c9447e2a0ea391c85b9ffac3839a9963ff290d22 8236 ruby-http-parser.rb_0.6.0-4+deb10u1.debian.tar.xz Checksums-Sha256: d9fe789d1a7bc12d8256325973af36c688291bf0f276a1a75870b8c1ff678914 2346 ruby-http-parser.rb_0.6.0-4+deb10u1.dsc 63afe4f8117cd1d08958a5ab2ef0cfe70203da46b373ec6a9cf1b8ce4c4eb0a7 8236 ruby-http-parser.rb_0.6.0-4+deb10u1.debian.tar.xz Files: c20156520a80922e650ca1b997a47d49 2346 ruby optional ruby-http-parser.rb_0.6.0-4+deb10u1.dsc 7c722ab7044f327b454e83527b93a9fd 8236 ruby optional ruby-http-parser.rb_0.6.0-4+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmMH7tsACgkQiNJCh6LY mLE2YBAAg5qJOT211NIMlyRChNRPijWeZRK7FqUUjd+7e6Zq+kAZRaM3KnZNm3XM irgwxKmKvmoCp5YoWHErFjqEA5hfHl1Bqrty4qfeb+3OKemZMfNkBpDjepaovvyh 9cZZagP2S19LXWVObpvLe9xJXk1RezqLnrgKhxzuN9vbA81JEPPSbqWCCTF16Q5K fOuay8JZcgr/Cy3F/Z1QtZfXRZRmERhRtVZNDrgwPq5K2W3W5RjIlkoWYE56Beje m73usZzRBvDg1NGewCLx1G+olqlKcW04nD+NHs5r81rnLqYqjNrMgokSi6LHjjgd d/KPK3fs/GDjpj55md8lmdekQQ8cqFQ5rd416ZMGKWoqvpHfwj7gf4ZTJ36rB4Gj aWyAEcUUCEMEL2STQQgFEkANx2Z5KySd2k/GPZXTkLCN+1E2ApOPVqrDr+8fKr5u BT/qwEPdRfjtuq2X2n7aop1MWHMs5DyH/Jjvuw9PZZKjxxdJWbNWmirrfTsa4MVA jFCKkJ3hHb6GOMFhxsBt/uNdbjvkWON7rc6oLLh1bUISy+fYP5+3OARyzjPk1gD8 f2NfZX4W7CrTW/d0d0lcjyjXXVfuFnj95wLWv9oZX97qwsQXjGv07wEpXQiYhgVO 4my4U6xvdSGdURJr/JrVKyaZ4/oJ5H5kpkOk2aCMz9NiYorkqd4= =WZLW -----END PGP SIGNATURE-----
--- End Message ---
