Comments (6)
@G-Rath All released versions of Ruby after the versions listed in the advisory are fixed. Here's is the commit that fixed Ruby 1.8.6: ruby/ruby@576a349. If you unpack the webrick 1.3.1 gem downloaded from rubygems.org, you can see it already has the same fixes.
from webrick.
The current versioning is different from the year of CVE-2009-4492 published. The all of versions after Ruby 1.x are already resolved.
from webrick.
@hsbt I was sort of hoping we could work to together to get this advisory improved, and unfortunately I don't quite understand how to do that with what you've just said.
Are you saying that all versions after v1 can be considered unaffected, or that just all versions of what's on RubyGems are fine as they came after the Ruby 1.x versions?
from webrick.
@hsbt have you had a chance to read over my reply? I'd really like to get the advisory corrected and would prefer to have confirmed things with a maintainer before I submit a change to the advisory.
from webrick.
What you want?
Webrick versioning is different from Ruby versioning. So, WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383
is different code with version of webrick-1.3.1. webrick-1.3.1 is the fixed version of Ruby 1.x to 2.4.x.
from webrick.
@hsbt @jeremyevans thanks for that info - for context, while I often work with Ruby/Rails I'm not super familiar with how versioning of gems in Ruby compare with what I assume is the same gem republished on RubyGems so sorry if I'm asking something really silly 😅
Primarily what I was finding confusing was the way the advisory listed "WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev " which meant I was unsure if it was referring to Ruby or WEBrick for those versions (though tbh re-reading it, I suspect I was overthinking it).
Thank you for helping me confirm this - I'll submit an improvement to the advisory marking all versions higher than 1.3.1 marked as fixed.
from webrick.
Related Issues (20)
- Is there any way to perform a connection upgrade (e.g. WebSockets) without monkey-patching `HTTPServer`? HOT 1
- WEBrick has an unsafe shutdown process it tries to concurrently write and close the @shutdown_pipe HOT 4
- Webrick `1.8.0` is incompatible with Rack `2.2.6.2` HOT 1
- Unicode handling in header location HOT 11
- test_httpresponse.rb test failures HOT 2
- MAX_URI_LENGTH exceeded results in nonsensical error HOT 2
- digest auth bug: wrong calculation for A1 HOT 1
- TypeError: no implicit conversion of Array into String HOT 5
- WEBrick RCE Vulnerability HOT 3
- Request Smuggling in WEBrick Due to Incorrect Parsing of Empty `Content-Length` Values HOT 2
- license helpful resource
- Request Smuggling in WEBrick via bad chunk-size parsing HOT 5
- Stripping NUL from the ends of header values HOT 1
- Link to documentation in README HOT 1
- Improper handling of chunks with incorrect lengths
- CR incorrectly permitted within header values HOT 1
- Improper stripping of whitespace from header values
- Improper message termination on half-closed socket
- Ruby version is showing up in Webrick Headers, and we need to edit that for security reason HOT 4
- WEBRick::HTTPServer creates ipv6only socket for host `::` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webrick.