Summary: | <dev-lang/ruby-{2.5.9,2.6.7,2.7.3}: HTTP Request Smuggling Vulnerability in WEBrick (CVE-2020-25613) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ | ||
See Also: | https://bugs.ruby-lang.org/issues/17201 | ||
Whiteboard: | A4 [glsa+] | ||
Package list: | Runtime testing required: | --- |
Description
filip ambroz
2020-10-07 07:01:06 UTC
dev-lang/ruby 2.7.2 has been added. We do not package the webrick gem. Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug. Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986 Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703 Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9 ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986 v2_5_9 ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703 v2_6_7 v2_6_8 ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9 v2_7_3 v2_7_4 3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks. Package list is empty or all packages have requested keywords. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48 commit aea6781bb25fe500e38a2cfce23bf166d29cbf48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:47 +0000 [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities Bug: https://bugs.gentoo.org/747007 Bug: https://bugs.gentoo.org/801061 Bug: https://bugs.gentoo.org/827251 Bug: https://bugs.gentoo.org/838073 Bug: https://bugs.gentoo.org/882893 Bug: https://bugs.gentoo.org/903630 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) |