RubyForge: Rainbows!: File Release Notes and Changelog

Notes:
Release Name: 0.2.1

Notes:
Zbatery is an HTTP server for Rack applications on systems that either
do not support fork(), or have no memory (nor need) to run the
master/worker model.  It is based on Rainbows! (which is based on
Unicorn (which is based on Mongrel)) and inherits parts of each.
Zbatery supports your choice of all the thread/fiber/event/actor-based
concurrency models and Rack middleware that Rainbows! supports (or will
ever support) in a single process.

* http://zbatery.bogomip.org/
* rainbows-talk@rubyforge.org
* git://git.bogomips.org/zbatery.git

Changes:

This release fixes a denial-of-service vector for deployments
exposed directly to untrusted clients.

The HTTP parser in Unicorn <= 0.97.0 would trip an assertion
(killing the associated worker process) on invalid
Content-Length headers instead of raising an exception.  Since
Rainbows! and Zbatery supports multiple clients per worker
process, all clients connected to the worker process that hit
the assertion would be aborted.

Deployments behind nginx are _not_ affected by this bug, as
nginx will reject clients that send invalid Content-Length
headers.

The status of deployments behind other HTTP-aware proxies is
unknown.  Deployments behind a non-HTTP-aware proxy (or no proxy
at all) are certainly affected by this DoS.

Users are strongly encouraged to upgrade as soon as possible,
there are no other changes besides this bug fix from Rainbows!
0.91.0 nor Unicorn 0.97.0

This bug affects all previously released versions of Rainbows!
and Zbatery.



Changes:
 GIT-VERSION-GEN        |    2 +-
 lib/zbatery.rb         |    2 +-
 t/t0003-reopen-logs.sh |    4 ++--
 zbatery.gemspec        |   10 +++++-----
 4 files changed, 9 insertions(+), 9 deletions(-)

commit 5764336aa3785af8a08be7ec7b40846ec139eb6c
Author: Eric Wong 
Date:   Mon Apr 19 14:14:46 2010 -0700

    Zbatery 0.2.1 - use a less-broken parser from Unicorn
    
    This release fixes a denial-of-service vector for deployments
    exposed directly to untrusted clients.
    
    The HTTP parser in Unicorn <= 0.97.0 would trip an assertion
    (killing the associated worker process) on invalid
    Content-Length headers instead of raising an exception.  Since
    Rainbows! and Zbatery supports multiple clients per worker
    process, all clients connected to the worker process that hit
    the assertion would be aborted.
    
    Deployments behind nginx are _not_ affected by this bug, as
    nginx will reject clients that send invalid Content-Length
    headers.
    
    The status of deployments behind other HTTP-aware proxies is
    unknown.  Deployments behind a non-HTTP-aware proxy (or no proxy
    at all) are certainly affected by this DoS.
    
    Users are strongly encouraged to upgrade as soon as possible,
    there are no other changes besides this bug fix from Rainbows!
    0.91.0 nor Unicorn 0.97.0
    
    This bug affects all previously released versions of Rainbows!
    and Zbatery.

commit bf277616bf1a13385150260c8bccb1d97b830bec
Author: Eric Wong 
Date:   Mon Mar 1 18:22:14 2010 +0000

    t0003: fix error log check
    
    We don't have "worker" processes in here.