See http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk for a description of this problem. Currently only 2.0.5 is available as a release. The page also mentions 2.2.0, but we currently don't have a 2.2.x release in portage.
Rails 2.0.5 is now in CVS. I propose to test this version for at least a week before we stable it.
This again [1] is a ruby bug that manifests itself mainly in rails. Ruby upstream are currently deciding on a patch [2], I expect a decision in the next few days. So, ruby would be on the to-do list, too. [1] similar to bug #236060 [2] http://article.gmane.org/gmane.comp.lang.ruby.core/18709
(In reply to comment #1) > Rails 2.0.5 is now in CVS. I propose to test this version for at least a week > before we stable it. Sounds good.
Rails 2.1.2 is now in CVS.
Rails is all fixed, no more vulnerable versions in the tree, everything stable. Ruby upstream obviously have no reason to fix this, it didn't even get any response on the dev ML. After talking to rbu, we don't want to derivate from upstream and so don't patch this into Ruby. So, do we need a GLSA for rails? I'd say NO.
as for me, HTTP response splitting and header injection is mainly a vector attack and has no security impact by itself, but only together with another application vulnerability. So, unless there is a serious security issue (code injection, sql injection, denial of service, privelege escalation) caused by this bug on a standard application, i would say noglsa. And i'm rerating to B4 and severity is "Minor" for both B3 and B4.
NO, too. Closing.