|
|
Subscribe / Log in / New account

Debian alert DLA-2391-1 (ruby2.3)



From:
              Utkarsh Gupta <utkarsh@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 2391-1] ruby2.3 security update


Date:
              Thu, 01 Oct 2020 21:20:18 +0530


Message-ID:
              <f25cb761-9465-69e1-a01e-c1a9a1c60563@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2391-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 01, 2020                            https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby2.3
Version        : 2.3.3-1+deb9u9
CVE ID         : CVE-2020-25613

A potential HTTP request smuggling vulnerability in WEBrick
was reported.

WEBrick (bundled along with ruby2.3) was too tolerant against
an invalid Transfer-Encoding header. This may lead to
inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to “smuggle” a request.

For Debian 9 stretch, this problem has been fixed in version
2.3.3-1+deb9u9.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91+rcACgkQgj6WdgbD
S5bMSw/+MkKeOuD7I5Weg8I3/N9w/oeY9+B/YInygn7ubnHIC8iq9KAwOBg40BxY
CUHjPsU1LEerCajsFauUOG6YjxPF2ETi8Fr2PmQASZfPE13YBlG+yOIqC0kgHs2k
eZN6iVOEaghUaf1c6FSCbfKkSive3q4hRFNtYl2Qn9qhexs5I9hCgPLhc99HFCS7
HSSXNncL8Pkk9Qu7JcqS22md6BNmPtmWj11rjkKtsmBztm2D/ShoDVh0/pVtOrIm
6Bj9XdhJSiHs0ihr8DSmpy3SgPNYufT+aWtP9dBpCXmTQpe2yXSTdk4z+MhZnNic
b0pzHLoEeFNadcffOsOms8jkFR3dxMDJpdHCOLSPCplO3jC4R9B9vEOjuMFV55Vc
qyG160RDn8D9NMt2HGTMQu8ahR+DEiImhZ5hurucpGZL5gWrhVbFtduiKyy3GFXM
RGesByZQyvtQx8NRAUTqNE5OtO8rJpF9BoQJu/Bk5Zq0/0wTABNKY2Fl+tZG4DRB
uWf6U33Jh96WojrKKRY8D2NB4L8kDLavcPNYLSEYU+aXSw3d5p/+Ez6AgwdaO31o
CnjnkFp0KnEM4UK9EhZzSncOGuPY4ggNe5hN2189FTCXTbOB5DKdI+BxzSA/prr4
rrX91N0TGmb+A1Ueb5eRiw572p3vA1zz6IHXp+tGLk8tNQBQCRA=
=yLxG
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds