[DRE-maint] Bug#977750: ruby-http-parser.rb: Upcoming test suite regression with http-parser 2.9.4

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Sun Dec 20 09:07:40 GMT 2020 

Package: ruby-http-parser.rb
Version: 0.6.0-5+b1
Severity: important
Tags: upstream
Forwarded: https://github.com/tmm1/http_parser.rb/issues/68

Dear Maintainer,

the http-parser library will see an update to 2.9.4 (currently in
unstable: 2.9.2) fairly soon, it fixes a security issue¹. During a
regression check however I noticed your package will no longer build in
unstable due to a failing test:

|   Failures:
|
|     1) HTTP::Parser should parse request: post identity body world
|        Failure/Error: @parser << test['raw']
|
|        HTTP::Parser::Error:
|          Could not parse data entirely (116 != 122)
|        # ./spec/parser_spec.rb:317:in `<<'
|        # ./spec/parser_spec.rb:317:in `block (4 levels) in <top (required)>'

You can verify by re-building your package using the http-parser version
available in experimental (2.9.3).

Root cause is a stricter checking of HTTP request headers in
http-parser. This is a direct result of the fix, so this will affect
stable as well, more on that below. There's already a bug report
upstream (filed by yours truly):

    https://github.com/tmm1/http_parser.rb/issues/68

Please follow closely and upload a new version as soon as a fix is
available. An alternative fix was to enable the "lenient" mode for that
test - but it seems that http-parser feature is not available in the
Ruby bindings.

Once http-parser 2.9.4 reaches unstable, I'll raise the bug severity and
prepare a NMU to prevent your package from falling out of testing.
Having issues handled by the maintainers themselves is still my
preferred way of action, though.

After that I will prepare a fixed http-parser for stable (10, "buster")
as well. This will forseeable affect the stable version of your package,
too. I'll do according checks and get back to you then.

Kind regards,

    Christoph

¹ https://security-tracker.debian.org/tracker/CVE-2019-15605

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20201220/b52f37bc/attachment-0001.sig>

More information about the Pkg-ruby-extras-maintainers mailing list