This looks like the patch:
https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7

PascalT introduced and version-updated this pkg in Caldron, so assigning this update to you. (Re-assign it if necessary).

Assignee: bugsquad => pterjan

I'll add the patch but note that upstream does not consider this a security issue and made the explicit decision to not request a CVE as webrick is intended for local testing and not as a real webserver exposed to users.

Test to reproduce:

require 'webrick'
require 'stringio'
require 'webrick'
require 'stringio'
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
req.parse(StringIO.new("POST /user HTTP/1.1\r\nContent-Length: 28\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\n\r\n"))    
req.body

After the update this should start failing with an exception saying "request with both transfer-encoding and content-length, possible request smuggling (WEBrick::HTTPStatus::BadRequest)"

ruby-webrick-1.8.2-1.mga10 and ruby-webrick-1.7.0-3.mga9 are building

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. (CVE-2024-47220)

References:
https://ubuntu.com/security/notices/USN-7057-1
========================

Updated packages in core/updates_testing:
========================
ruby-webrick-1.7.0-3.mga9
ruby-webrick-doc-1.7.0-3.mga9

from SRPM:
ruby-webrick-1.7.0-3.mga9.src.rpm

Source RPM: ruby-webrick-1.8.1-1.mga10.src.rpm, ruby-webrick-1.7.0-2.mga9.src.rpm => ruby-webrick-1.7.0-2.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: pterjan => qa-bugs
Status comment: Fixed upstream in 1.8.2 and patch available from Ubuntu => (none)
Status: NEW => ASSIGNED

RH x86_64

Put the code in comment#3 in a file
Install ruby-webrick

ruby testfile

Not produce output

Update
 installing ruby-webrick-1.7.0-3.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: ruby-webrick          ##################################################################################################
      1/1: removing ruby-webrick-1.7.0-2.mga9.noarch
                                 ##################################################################################################

ruby testfile
/usr/share/gems/gems/webrick-1.7.0/lib/webrick/httprequest.rb:511:in `read_body': request with both transfer-encoding and content-length, possible request smuggling (WEBrick::HTTPStatus::BadRequest)
        from /usr/share/gems/gems/webrick-1.7.0/lib/webrick/httprequest.rb:257:in `body'
        from testfile:7:in `<main>'

OK I guess

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0348.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED