[SECURITY] [DLA 2391-1] ruby2.3 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2391-1] ruby2.3 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Thu, 1 Oct 2020 21:20:18 +0530
Message-id: <[🔎] f25cb761-9465-69e1-a01e-c1a9a1c60563@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2391-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 01, 2020                            https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby2.3
Version        : 2.3.3-1+deb9u9
CVE ID         : CVE-2020-25613

A potential HTTP request smuggling vulnerability in WEBrick
was reported.

WEBrick (bundled along with ruby2.3) was too tolerant against
an invalid Transfer-Encoding header. This may lead to
inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to “smuggle” a request.

For Debian 9 stretch, this problem has been fixed in version
2.3.3-1+deb9u9.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91+rcACgkQgj6WdgbD
S5bMSw/+MkKeOuD7I5Weg8I3/N9w/oeY9+B/YInygn7ubnHIC8iq9KAwOBg40BxY
CUHjPsU1LEerCajsFauUOG6YjxPF2ETi8Fr2PmQASZfPE13YBlG+yOIqC0kgHs2k
eZN6iVOEaghUaf1c6FSCbfKkSive3q4hRFNtYl2Qn9qhexs5I9hCgPLhc99HFCS7
HSSXNncL8Pkk9Qu7JcqS22md6BNmPtmWj11rjkKtsmBztm2D/ShoDVh0/pVtOrIm
6Bj9XdhJSiHs0ihr8DSmpy3SgPNYufT+aWtP9dBpCXmTQpe2yXSTdk4z+MhZnNic
b0pzHLoEeFNadcffOsOms8jkFR3dxMDJpdHCOLSPCplO3jC4R9B9vEOjuMFV55Vc
qyG160RDn8D9NMt2HGTMQu8ahR+DEiImhZ5hurucpGZL5gWrhVbFtduiKyy3GFXM
RGesByZQyvtQx8NRAUTqNE5OtO8rJpF9BoQJu/Bk5Zq0/0wTABNKY2Fl+tZG4DRB
uWf6U33Jh96WojrKKRY8D2NB4L8kDLavcPNYLSEYU+aXSw3d5p/+Ez6AgwdaO31o
CnjnkFp0KnEM4UK9EhZzSncOGuPY4ggNe5hN2189FTCXTbOB5DKdI+BxzSA/prr4
rrX91N0TGmb+A1Ueb5eRiw572p3vA1zz6IHXp+tGLk8tNQBQCRA=
=yLxG
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2390-1] ruby-json-jwt security update
Next by Date: [SECURITY] [DLA 2392-1] jruby security update
Previous by thread: [SECURITY] [DLA 2390-1] ruby-json-jwt security update
Next by thread: [SECURITY] [DLA 2392-1] jruby security update
Index(es):
- Date
- Thread