-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3433
         Ruby - Potential HTTP Request Smuggling Vulnerability in
                         WEBrick (CVE-2020-25613)
                              5 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby
Publisher:         Ruby
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Unauthorised Access -- Existing Account
                   Reduced Security    -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25613  

Reference:         ESB-2020.3430

Original Bulletin: 
   https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick

Posted by mame on 29 Sep 2020

A potential HTTP request smuggling vulnerability in WEBrick was reported. This
vulnerability has been assigned the CVE idenfitifer CVE-2020-25613. We strongly
recommend upgrading the webrick gem.

Details

WEBrick was too tolerant against an invalid Transfer-Encoding header. This may
lead to inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to "smuggle" a request. See CWE-444 in
detail.

Please update the webrick gem to version 1.6.1 or later. You can use gem update
webrick to update it. If you are using bundler, please add gem "webrick", ">=
1.6.1" to your Gemfile.

Affected versions

  o webrick gem 1.6.0 or prior
  o bundled versions of webrick in ruby 2.7.1 or prior
  o bundled versions of webrick in ruby 2.6.6 or prior
  o bundled versions of webrick in ruby 2.5.8 or prior

Credits

Thanks to piao for discovering this issue.

History

  o Originally published at 2020-09-29 06:30:00 (UTC)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3pWrONLKJtyKPYoAQgAHA/+L0Q3c+9Iv8cDthvq+yTe6zoSY+ENYCkf
v2WTj/CmrTRaUW15i4kaDDIKqee7LkWxNHRsw1FlgUqbYLLktC882z01E/zBFrz2
QFEHvlnY3RQz5qXrDYxNltDvD920UVeQ05GqQ/1lLssu2fvi5NCp7UWcrPtmcqpx
Tau8nQcur65PeqatHTzvCULHRpaRSyiq/Ee6C1Mtw2PMvtE9Kd4AeVc3NShKY0Ax
1Mi3OS/MS4pHcDp+cEOjnNr7Qno1RJWSbd9QC5LHbb6Vw9bxN/lCGECrqG7k6BtE
iWrZGRQzFBYJwW/xTsSTIf0GxHQHudxEwr3H1s8avYAOl+wdH7DJzp1Hc1pe6LI/
R58froVCALQbmwrMKNugxKIxnI+hCJXiWGypFkZpngCXBarc+qbRBTtJsqGQ7CSm
82TbIWE4DpD76rYEJBCSCpWGpK7OTmMg5YMaACsYpAteFBMGFe/NBnIeti6p6eFi
JGw3q6ZOCIZIk6lJDTv6XTELq+6C5g5jeDRHlMMgJuobtgLah/bLkNiwepKTjO0Y
JU2Lz6xkPmMRK4hY4o6QPgWDk184EynNyCbkaDkgMtYmwODIOjcAf1yc7oxXaSfd
OAe9Fh59YnC/soyCGmWesDldbCbk4ZQI25tGIR5IGZLdahbsO0AuEoHv4tlycCk8
ALRvV4t4OSs=
=q4/p
-----END PGP SIGNATURE-----