Advisories » MGASA-2024-0348

Updated ruby-webrick packages fix security vulnerability

Publication date: 08 Nov 2024
Modification date: 08 Nov 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-47220

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby.
It allows HTTP request smuggling by providing both a Content-Length
header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n"
inside of a "POST /user HTTP/1.1\r\n" request. (CVE-2024-47220)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33617
• https://ubuntu.com/security/notices/USN-7057-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47220

SRPMS

9/core

• ruby-webrick-1.7.0-3.mga9