Ruby has issued an advisory on September 29: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ The issue is fixed upstream in 2.7.2: https://www.ruby-lang.org/en/news/2020/10/02/ruby-2-7-2-released/ Debian-LTS has issued an advisory for this on October 1: https://www.debian.org/lts/security/2020/dla-2391 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => pterjan
Fedora has issued an advisory for this on October 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
Severity: normal => major
Blocks: (none) => 27443
Cauldron now has 2.7.2.
Blocks: 27443 => (none)
Source RPM: ruby-2.7.1-31.mga8.src.rpm => ruby-2.5.7-20.mga7.src.rpmWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Tests keep failing on 7 with: [ 1339/17449] OpenSSL::TestPair#test_connect_accept_nonblock#<Thread:0x0c6c878c@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:452 run> terminated with exception (report_on_exception is true): /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `initialize': SSL_CTX_use_certificate: ee key too small (OpenSSL::SSL::SSLError) from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `new' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `block in test_connect_accept_nonblock' It build fine here so I wonder if it's something in updates or updates_testing that my local iurt would not use. I added some upstream patch which was supposed to help (http://svnweb.mageia.org/packages/updates/7/ruby/current/SOURCES/1e54903684aa3c9ea3fe54520157846a1b1f07be.patch?revision=1643789&view=markup) but it failed again.
Which openssl is it running against (1.0.2 or 1.1.x)? Maybe you can disable the tests.
From http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20201108141104.pterjan.duvel.35384/log/ruby-2.5.8-22.mga7/install_deps-1.0.20201108141158.log it is using libopenssl-devel-1.1.0l-1.1.mga7.i586.rpm I added updates media here to try to reproduce, but yes worse case I'll disable that test given that it is unrelated to what is getting patched in this update.
It seems the submit somehow didn't use the latest commit, locally using updates and latest commit it builds fine do trying again.
Make sure when you use mgarepo submit, you always give the package name (7/ruby in this case) as an argument. Otherwise it will submit from the commit you originally checked out in your current working directory, a misfeature of the tool.
Now all the ssl tests pass but I got similar failures in webrick https tests (this time SSL_CTX_use_certificate: ca md too weak). The strange part is that it build fine locally in iurt... [17026/17445] TestWEBrickHTTPProxy#test_connect#<Thread:0x000000004719d3f8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 run> terminated with exception (report_on_exception is true): /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/protocol.rb:41:in `ssl_socket_connect': Net::OpenTimeout (Net::OpenTimeout) from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:985:in `connect' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:920:in `do_start' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:909:in `start' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:1458:in `request' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:175:in `block (2 levels) in test_connect' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server' #<Thread:0x000000004719ea28@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 run> terminated with exception (report_on_exception is true): /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:835:in `assert_join_threads': exceptions on 1 threads: (MiniTest::Assertion) #<Thread:0x000000004719d3f8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 dead>: /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/protocol.rb:41:in `ssl_socket_connect': Net::OpenTimeout (Net::OpenTimeout) from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:985:in `connect' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:920:in `do_start' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:909:in `start' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:1458:in `request' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:175:in `block (2 levels) in test_connect' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:64:in `start_server' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:72:in `start_httpproxy' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:166:in `block in test_connect' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server' #<Thread:0x000000004719ebb8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:50 run> terminated with exception (report_on_exception is true): /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/minitest/unit.rb:201:in `assert': <[]> expected but was (MiniTest::Assertion) <["[2020-11-08 20:51:57] ERROR OpenSSL::SSL::SSLError: SSL_CTX_use_certificate: ca md too weak\n" + "\t/home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/webrick/server.rb:259:in `initialize'\n"]>. from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:37:in `assert' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:300:in `assert_equal' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:36:in `block in <module:TestWEBrick>' from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:53:in `block in start_server' = 60.08 sLeaked file descriptor: TestWEBrickHTTPProxy#test_connect: 27 However this one worries me more as I believe it's a feature of webrick to generate self signed certificates for local testing so this one may impact users and not only tests so I'll look more into it. Looking at the code it does: def setup_ssl_context(config) # :nodoc: unless config[:SSLCertificate] cn = config[:SSLCertName] comment = config[:SSLCertComment] cert, key = Utils::create_self_signed_cert(1024, cn, comment) config[:SSLCertificate] = cert config[:SSLPrivateKey] = key end It seems this was increased in https://github.com/ruby/webrick/commit/0ff321aa74a056faec3cfa77795003353fe8412d so I'll add that patch too.
You might need to change it to 4096. I'm starting to wonder if there's some non-deterministic ordering issue (probably due to a dependency loop) with running scriplets and not getting the crypto policy set correctly. I've seen a few reports of this issue popping up but haven't seen it myself and obviously it's working for most people, so I don't think there's anything inherently wrong with the packages.
ruby-2.5.8-22.mga7 is finally built (still uploading).
Advisory: ======================== Updated ruby packages fix security vulnerability: A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request (CVE-2020-25613). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613 https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.5.8-22.mga7 libruby2.5-2.5.8-22.mga7 ruby-doc-2.5.8-22.mga7 ruby-devel-2.5.8-22.mga7 ruby-openssl-2.1.2-22.mga7 ruby-power_assert-1.1.1-22.mga7 ruby-irb-2.5.8-22.mga7 ruby-did_you_mean-1.2.0-22.mga7 ruby-io-console-0.4.6-22.mga7 ruby-psych-3.0.2-22.mga7 ruby-net-telnet-0.1.1-22.mga7 ruby-test-unit-3.2.7-22.mga7 ruby-xmlrpc-0.3.0-22.mga7 from ruby-2.5.8-22.mga7.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjan
Just looking at this for mga7. CVE-2020-25613 https://hackerone.com/reports/965267 $ ruby http_server.rb [2020-11-11 16:43:54] INFO WEBrick 1.4.2 [2020-11-11 16:43:54] INFO ruby 2.5.8 (2020-03-31) [x86_64-linux] [2020-11-11 16:43:54] INFO WEBrick::HTTPServer#start: pid=19347 port=8080 The minimal server supplied runs OK but I have no idea about haproxy. It is not supplied as a package in its own right so this looks like a dead end. There is a set of python-twisted files for haproxy on site but no indication where the haproxy config file lives - nothing in /etc. If there is an alternative to using haproxy I would need a great deal of help. Moving on to testing ruby itself. It has been working fine before updates. Clean update for all packages. All user-land scripts working without incident. $ sudo gem install victor Fetching: victor-0.3.2.gem (100%) Successfully installed victor-0.3.2 Parsing documentation for victor-0.3.2 Installing ri documentation for victor-0.3.2 Done installing documentation for victor after 0 seconds 1 gem installed Cut and pasted a script into irb and generated an on-screen digital clock. More examples: $ irb irb(main):001:0> def leap_year( year ) irb(main):002:1> if ( year.modulo( 100 ) == 0 ) then irb(main):003:2* j = year.modulo( 400 ) == 0 ? 1 : 0 irb(main):004:2> else irb(main):005:2> j = year.modulo( 4 ) == 0 ? 1 : 0 irb(main):006:2> end irb(main):007:1> j == 1 irb(main):008:1> end => :leap_year irb(main):009:0> puts "#{year} is a leap year" if leap_year( 1900 ) => nil irb(main):010:0> leap_year( 1952 ) => true irb(main):011:0> leap_year( 2021 ) => false irb(main):012:0> leap_year( 2000 ) => true Oneliners OK. $ ruby -e "puts(1.upto(31).inject(:+))" 496 Most of the results from whatrequires are ruby packages, as expected. Others are epic5, ice-ruby, vim - vim probably when editing ruby scripts. Tried that on a gemspec file and sure enough it delivers syntax highlighting. After strace... $ grep ruby gemspectest openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3 ..... stat("/usr/share/vim/syntax/ruby.vim", {st_mode=S_IFREG|0644, st_size=41351, ...}) = 0 openat(AT_FDCWD, "/usr/share/vim/syntax/ruby.vim", O_RDONLY) = 3 stat("/usr/share/vim/syntax/ruby.vim", {st_mode=S_IFREG|0644, st_size=41351, ...}) = 0 read(3, "ubyRegexpParens\tmatchgroup=rubyR"..., 4096) = 4096 read(3, "chgroup=rubyRegexpDelimiter star"..., 4096) = 4096 .... So, ruby is still working in general but cannot say anything about server setups. Letting it go.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Note on comment 13: Of course <ruby -e "puts(16*31)"> will be a lot faster.
Validating update. Advisory and packages in Comment 12. Asvisory pushed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: Triaged => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0423.html
Status: NEW => RESOLVEDResolution: (none) => FIXED