From 16f3dfae003e8197ea89534d6dc94099a715176b Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 24 Sep 2024 09:43:16 +0200 Subject: [PATCH] chore(deps): update dependency webrick to v1.8.2 [security] (#2648) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [webrick](https://redirect.github.com/ruby/webrick) | `1.8.1` -> `1.8.2` | [![age](https://developer.mend.io/api/mc/badges/age/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### HTTP Request Smuggling in ruby webrick [CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) / [GHSA-6f62-3596-g6w7](https://redirect.github.com/advisories/GHSA-6f62-3596-g6w7)
More information #### Details An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) - [https://github.com/ruby/webrick/issues/145](https://redirect.github.com/ruby/webrick/issues/145) - [https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841](https://redirect.github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841) - [https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7](https://redirect.github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7) - [https://github.com/ruby/webrick](https://redirect.github.com/ruby/webrick) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6f62-3596-g6w7) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
--- ### Release Notes
ruby/webrick (webrick) ### [`v1.8.2`](https://redirect.github.com/ruby/webrick/releases/tag/v1.8.2) [Compare Source](https://redirect.github.com/ruby/webrick/compare/v1.8.1...v1.8.2) #### What's Changed - Drop commented-out line by [@​olleolleolle](https://redirect.github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://redirect.github.com/ruby/webrick/pull/108) - Add Ruby 3.1 & 3.2 to CI matrix by [@​tricknotes](https://redirect.github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - Fix/redos by [@​ooooooo-q](https://redirect.github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://redirect.github.com/ruby/webrick/pull/120) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://redirect.github.com/ruby/webrick/pull/121) - Improve CI by [@​hsbt](https://redirect.github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://redirect.github.com/ruby/webrick/pull/123) - Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@​KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - Fix bug chunk extension detection by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://redirect.github.com/ruby/webrick/pull/125) - Fix CI. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://redirect.github.com/ruby/webrick/pull/131) - Merge multiple cookie headers, preserving semantic correctness. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://redirect.github.com/ruby/webrick/pull/130) - Test on macos-latest by [@​byroot](https://redirect.github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - Require CRLF line endings in request line and headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://redirect.github.com/ruby/webrick/pull/138) - Prefer squigly heredocs. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://redirect.github.com/ruby/webrick/pull/143) - Only strip space and horizontal tab in headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://redirect.github.com/ruby/webrick/pull/141) - Treat missing CRLF separator after headers as an EOFError by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://redirect.github.com/ruby/webrick/pull/142) - Return 400 response for chunked requests with unexpected data after chunk by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://redirect.github.com/ruby/webrick/pull/136) - Fix reference to URI::REGEXP::PATTERN::HOST by [@​casperisfine](https://redirect.github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) - Prevent request smuggling by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://redirect.github.com/ruby/webrick/pull/146) #### New Contributors - [@​tricknotes](https://redirect.github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - [@​ooooooo-q](https://redirect.github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - [@​KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - [@​byroot](https://redirect.github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - [@​casperisfine](https://redirect.github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) **Full Changelog**: https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv.dev). --- docs/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index c11a1072d3b..17f9d146b62 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -262,7 +262,7 @@ GEM concurrent-ruby (~> 1.0) unicode-display_width (1.8.0) uri (0.13.1) - webrick (1.8.1) + webrick (1.8.2) PLATFORMS x86_64-linux