zbatery 0.2.0 → 0.2.1

data/ChangeLog

@@ -1,5 +1,44 @@
-ChangeLog from git://git.bogomips.org/zbatery.git (v0.1.1..v0.2.0)
+ChangeLog from git://git.bogomips.org/zbatery.git (v0.1.1..v0.2.1)
 
+    commit 5764336aa3785af8a08be7ec7b40846ec139eb6c
+    Author: Eric Wong <normalperson@yhbt.net>
+    Date:   Mon Apr 19 14:14:46 2010 -0700
+    
+        Zbatery 0.2.1 - use a less-broken parser from Unicorn
+        
+        This release fixes a denial-of-service vector for deployments
+        exposed directly to untrusted clients.
+        
+        The HTTP parser in Unicorn <= 0.97.0 would trip an assertion
+        (killing the associated worker process) on invalid
+        Content-Length headers instead of raising an exception.  Since
+        Rainbows! and Zbatery supports multiple clients per worker
+        process, all clients connected to the worker process that hit
+        the assertion would be aborted.
+        
+        Deployments behind nginx are _not_ affected by this bug, as
+        nginx will reject clients that send invalid Content-Length
+        headers.
+        
+        The status of deployments behind other HTTP-aware proxies is
+        unknown.  Deployments behind a non-HTTP-aware proxy (or no proxy
+        at all) are certainly affected by this DoS.
+        
+        Users are strongly encouraged to upgrade as soon as possible,
+        there are no other changes besides this bug fix from Rainbows!
+        0.91.0 nor Unicorn 0.97.0
+        
+        This bug affects all previously released versions of Rainbows!
+        and Zbatery.
+    
+    commit bf277616bf1a13385150260c8bccb1d97b830bec
+    Author: Eric Wong <normalperson@yhbt.net>
+    Date:   Mon Mar 1 18:22:14 2010 +0000
+    
+        t0003: fix error log check
+        
+        We don't have "worker" processes in here.
+    
     commit 816d4e840fca8606215a328beda90dd92153bcd7
     Author: Eric Wong <normalperson@yhbt.net>
     Date:   Mon Mar 1 10:40:51 2010 +0000

data/GIT-VERSION-FILE

@@ -1 +1 @@
-GIT_VERSION = 0.2.0
+GIT_VERSION = 0.2.1

data/GIT-VERSION-GEN

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v0.2.0.GIT
+DEF_VER=v0.2.1.GIT
 
 LF='
 '

data/NEWS

@@ -1,3 +1,30 @@
+=== 0.2.1 / 2010-04-19 21:16 UTC
+
+  This release fixes a denial-of-service vector for deployments
+  exposed directly to untrusted clients.
+
+  The HTTP parser in Unicorn <= 0.97.0 would trip an assertion
+  (killing the associated worker process) on invalid
+  Content-Length headers instead of raising an exception.  Since
+  Rainbows! and Zbatery supports multiple clients per worker
+  process, all clients connected to the worker process that hit
+  the assertion would be aborted.
+
+  Deployments behind nginx are _not_ affected by this bug, as
+  nginx will reject clients that send invalid Content-Length
+  headers.
+
+  The status of deployments behind other HTTP-aware proxies is
+  unknown.  Deployments behind a non-HTTP-aware proxy (or no proxy
+  at all) are certainly affected by this DoS.
+
+  Users are strongly encouraged to upgrade as soon as possible,
+  there are no other changes besides this bug fix from Rainbows!
+  0.91.0 nor Unicorn 0.97.0
+
+  This bug affects all previously released versions of Rainbows!
+  and Zbatery.
+
 === 0.2.0 / 2010-03-01 10:42 UTC
 
   This release resyncs against the latest features/cleanups

data/lib/zbatery.rb

@@ -4,7 +4,7 @@ require 'rainbows'
 module Zbatery
 
   # current version of Zbatery
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 
   class << self
 

data/t/t0003-reopen-logs.sh

@@ -44,9 +44,9 @@ t_begin "wait for rotated log to reappear" && {
 	done
 }
 
-t_begin "wait for worker to reopen logs" && {
+t_begin "wait to reopen logs" && {
 	nr=60
-	re="worker=.* done reopening logs"
+	re="done reopening logs"
 	while ! grep "$re" < $r_err >/dev/null && test $nr -ge 0
 	do
 		sleep 1

data/zbatery.gemspec

@@ -50,11 +50,11 @@ Gem::Specification.new do |s|
   #   espace-neverblock + eventmachine
   #   async_sinatra + sinatra + eventmachine
   #
-  # rainbows 0.90.2 depends on unicorn 0.96.1,
-  # unicorn 0.96.0 and before had a memory leak
-  # that was only triggered in Rainbows!/Zbatery
-  s.add_dependency(%q<unicorn>, ["~> 0.97.0"])
-  s.add_dependency(%q<rainbows>, [">= 0.91.0", "<= 1.0.0"])
+  # rainbows 0.91.1 depends on unicorn ~> 0.97.1, previous versions of
+  # Unicorn were vulnerable to a remote DoS when exposed directly to
+  # untrusted clients (a configuration only supported by Zbatery and Rainbows!,
+  # Unicorn has never and will never be supported without trusted LAN clients.
+  s.add_dependency(%q<rainbows>, [">= 0.91.1", "<= 1.0.0"])
 
   # s.licenses = %w(GPLv2 Ruby) # accessor not compatible with older RubyGems
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: zbatery
 version: !ruby/object:Gem::Version 
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors: 
 - Zbatery hackers
@@ -9,19 +9,9 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-03-01 00:00:00 +00:00
+date: 2010-04-19 00:00:00 +00:00
 default_executable: 
 dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: unicorn
-  type: :runtime
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: 0.97.0
-    version: 
 - !ruby/object:Gem::Dependency 
   name: rainbows
   type: :runtime
@@ -30,7 +20,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        version: 0.91.0
+        version: 0.91.1
     - - <=
       - !ruby/object:Gem::Version 
         version: 1.0.0