An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
dev-lang/ruby 2.7.2 has been added.
We do not package the webrick gem.
Upstream has not released new versions for the ruby 2.5 and 2.6 slots. I assume that this will be released shortly as well. If not then we can apply the patch sets from the referenced bug.
Ruby 2.5 patch: d6d2f179b02855ce07e8a114b3611dfc1f590986
Ruby 2.6 patch: 8b49c3e4bc767bec8a66ac81cbda033330fb2703
Ruby 2.7 patch: 48ac73769772317d6c3f864f087ef930a47120d9
ruby $ git tag --contains d6d2f179b02855ce07e8a114b3611dfc1f590986
ruby $ git tag --contains 8b49c3e4bc767bec8a66ac81cbda033330fb2703
ruby $ git tag --contains 48ac73769772317d6c3f864f087ef930a47120d9
3.0.0 is unaffected (it's always had the patch). Just waiting for 2.5 cleanup here now, removal in a couple weeks.
Package list is empty or all packages have requested keywords.