SUSE has issued an advisory on March 29: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014232.html The issue is fixed upstream in 2.2.6.4. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOCC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 2.2.6.4
Debian-LTS has issued an advisory for this on April 17: https://www.debian.org/lts/security/2023/dla-3392
Submitted ruby-rack-2.2.8-1.mga9.src.rpm to core/updates_testing
(In reply to Pascal Terjan from comment #2) > Submitted ruby-rack-2.2.8-1.mga9.src.rpm to core/updates_testing The packages ruby-rack-2.2.8-1.mga9.noarch.rpm ruby-rack-doc-2.2.8-1.mga9.noarch.rpm Arrive to updates_testing, I must assign to QA?
Whiteboard: MGA8TOO => (none)
Keywords: (none) => feedback
Assignee: pterjan => qa-bugsCC: (none) => pterjan
URL: (none) => https://lists.suse.com/pipermail/sle-security-updates/2023-March/014232.html https://www.debian.org/lts/security/2023/dla-3392Keywords: feedback => (none)CVE: (none) => CVE-2023-27539CC: (none) => marja11
Keywords: (none) => advisory
Note that the CVE is currently reserved so we can get no useful information from Mitre.
CC: (none) => tarazed25
Created attachment 14394 [details] Simple test for ruby-rack From Pascal probably. Instructions in the script.
Mageia9, x86_64 This from Debian at https://lists.debian.org/debian-lts-announce/2023/04/msg00018.html CVE-2023-27539 Description: Split headers on commas, then strip the strings in order to avoid ReDoS issues. Could be the basis of a PoC - if there are any hackers in the house. Had to remove two conflicting gems before things would work. Updated the two packages and ran the helloworld script: $ ruby logging.rb 2024-02-18 00:44:40 +0000 Thin web server (v1.8.2 codename Ruby Razor) 2024-02-18 00:44:40 +0000 Maximum connections set to 1024 2024-02-18 00:44:40 +0000 Listening on localhost:8080, CTRL+C to stop localhost:8080/ in Firefox, slight delay then Hello World App took 3 seconds. Tried to run a script from the latest Pickaxe book with rackup. It insisted on installing a later version of the rack gem, 3.0... so that had to be abandoned and the new gem uninstalled. Is logging.rb a sufficient test for ruby-rack?
Version: Cauldron => 9
Ran the rackapp test from bug 31496. $ cat rackapp.rb require 'rack' app = ->(env){ ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']] } Rack::Handler::WEBrick.run app $ ruby rackapp.rb [2024-02-18 09:36:33] INFO WEBrick 1.8.1 [2024-02-18 09:36:33] INFO ruby 3.1.4 (2023-03-30) [x86_64-linux] [2024-02-18 09:36:33] INFO WEBrick::HTTPServer#start: pid=229817 port=8080 127.0.0.1 - - [18/Feb/2024:09:37:13 GMT] "GET / HTTP/1.1" 200 21 - -> / 127.0.0.1 - - [18/Feb/2024:09:37:13 GMT] "GET /favicon.ico HTTP/1.1" 200 21 http://localhost:8080/ -> /favicon.ico The message "A barebones rack app" appeared at localhost:8080/ in Firefox. There was an earlier PoC test from bug 26952: $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"%66oo"=>"baz", "foo"=>"bar"}
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0042.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED