FS#68051 - [security][ruby][ruby2.6] CVE-2020-25613
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Tuesday, 29 September 2020, 23:36 GMT
Last edited by Antonio Rojas (arojas) - Sunday, 19 June 2022, 09:33 GMT
Opened by loqs (loqs) - Tuesday, 29 September 2020, 23:36 GMT
Last edited by Antonio Rojas (arojas) - Sunday, 19 June 2022, 09:33 GMT
|
Details
Description:
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. Affected versions webrick gem 1.6.0 or prior bundled versions of webrick in ruby 2.7.1 or prior bundled versions of webrick in ruby 2.6.6 or prior bundled versions of webrick in ruby 2.5.8 or prior Additional info: * ruby 2.7.1-3 * ruby2.6 2.6.6-1 * https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ |
This task depends upon
[1] https://git.ruby-lang.org/ruby.git/commit/?id=828c34e58b63d64558ec0f2d1d7ae401c5e6b21f
Leaving patching 2.6 to Sergei who added ruby26 to the repo.