Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68051 - [security][ruby][ruby2.6] CVE-2020-25613

Attached to Project: Arch Linux
Opened by loqs (loqs) - Tuesday, 29 September 2020, 23:36 GMT
Last edited by Anatol Pomozov (anatolik) - Wednesday, 30 September 2020, 22:14 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request.
Affected versions
webrick gem 1.6.0 or prior
bundled versions of webrick in ruby 2.7.1 or prior
bundled versions of webrick in ruby 2.6.6 or prior
bundled versions of webrick in ruby 2.5.8 or prior


Additional info:
* ruby 2.7.1-3
* ruby2.6 2.6.6-1
* https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
This task depends upon

Comment by loqs (loqs) - Wednesday, 30 September 2020, 22:00 GMT
Fix on the 2.7 branch [1]. It applies cleanly to 2.7.1 and 2.6.6.

[1] https://git.ruby-lang.org/ruby.git/commit/?id=828c34e58b63d64558ec0f2d1d7ae401c5e6b21f
Comment by Anatol Pomozov (anatolik) - Wednesday, 30 September 2020, 22:14 GMT
ruby2.7 has been patched in ruby-2.7.1-4

Leaving patching 2.6 to Sergei who added ruby26 to the repo.
Comment by Anatol Pomozov (anatolik) - Wednesday, 30 September 2020, 22:15 GMT
this task cannot be assigned to Sergei so I added him at the "Notification" page.

Loading...