An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. GitHub Commit: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 Links: https://nvd.nist.gov/vuln/detail/CVE-2020-25613 https://osint.geekcq.com/2020/10/06/cve-2020-25613/ Reproducible: Always
dev-lang/ruby 2.7.2 has been added. We do not package the webrick gem. Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug.
Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986 Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703 Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9 ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986 v2_5_9 ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703 v2_6_7 v2_6_8 ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9 v2_7_3 v2_7_4 3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48 commit aea6781bb25fe500e38a2cfce23bf166d29cbf48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:47 +0000 [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities Bug: https://bugs.gentoo.org/747007 Bug: https://bugs.gentoo.org/801061 Bug: https://bugs.gentoo.org/827251 Bug: https://bugs.gentoo.org/838073 Bug: https://bugs.gentoo.org/882893 Bug: https://bugs.gentoo.org/903630 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)