386987 – (CVE-2011-3624) dev-lang/ruby malformed header vulnerabilities (CVE-2011-3624)

Bug 386987 (CVE-2011-3624) - dev-lang/ruby malformed header vulnerabilities (CVE-2011-3624)

Summary: dev-lang/ruby malformed header vulnerabilities (CVE-2011-3624)

Status:	RESOLVED OBSOLETE

Alias:	CVE-2011-3624

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [upstream+]
Keywords:

Depends on:
Blocks:

Reported:	2011-10-12 21:58 UTC by Sean Amoss (RETIRED)
Modified:	2016-03-02 10:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sean Amoss (RETIRED) gentoo-dev

2011-10-12 21:58:32 UTC

From $URL:

Various methods in WEBrick::HTTPRequest in Ruby 1.9.2-p290 and
1.8.7-p352 and earlier and do not validate the X-Forwarded-For,
X-Forwarded-Host and X-Forwarded-Server headers in requests, which might
allow remote attackers to inject arbitrary text into log files or bypass
intended address parsing via a crafted header.

https://redmine.ruby-lang.org/issues/5418

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-03-02 10:04:44 UTC

No vulnerable versions in tree.  References as CVE is still reerved: https://security-tracker.debian.org/tracker/CVE-2011-3624 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624