ruby-webrick (1.7.0-3ubuntu0.2) jammy-security; urgency=medium
* SECURITY UPDATE: read_header HTTP Request Smuggling Vulnerability
- debian/patches/CVE-2025-6442-pre1.patch: fix ReDoS parse_header in
lib/webrick/httputils.rb.
- debian/patches/CVE-2025-6442-pre2.patch: fix ReDoS split_header_value
in lib/webrick/httputils.rb.
- debian/patches/CVE-2025-6442-pre3.patch: merge multiple cookie
headers, preserving semantic correctness in
lib/webrick/httprequest.rb, lib/webrick/httputils.rb,
test/webrick/test_httprequest.rb.
- debian/patches/CVE-2025-6442.patch: require CRLF line endings in
request line and headers in lib/webrick/httprequest.rb,
lib/webrick/httputils.rb, test/webrick/test_filehandler.rb,
test/webrick/test_httprequest.rb.
- CVE-2025-6442
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Aug 2025 14:52:45 -0400
ruby-webrick (1.7.0-3ubuntu0.1) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP request smuggling via both a Content-Length
header and a Transfer-Encoding header
- debian/patches/CVE-2024-47220.patch: check for both headers in
lib/webrick/httprequest.rb, test/webrick/test_httprequest.rb.
- CVE-2024-47220
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 04 Oct 2024 07:57:18 -0400
ruby-webrick (1.7.0-3) unstable; urgency=medium
* Add upstream commit to revert "Allow empty POST and PUT requests without
content length". This was causing failures in ruby-httpclient testsuite.
* Remove trailing space in a previous changelog entry
-- Cédric Boutillier <boutil@debian.org> Sun, 28 Nov 2021 14:56:56 +0100
ruby-webrick (1.7.0-2) unstable; urgency=medium
* Source-only upload to comply with migration rules to testing
-- Cédric Boutillier <boutil@debian.org> Wed, 17 Nov 2021 09:12:45 +0100
ruby-webrick (1.7.0-1) unstable; urgency=medium
* Initial release of packaged standalone gem.
* Was part of Ruby standard library before Ruby 3.x
-- Cédric Boutillier <boutil@debian.org> Wed, 17 Nov 2021 09:12:34 +0100
Generated by dwww version 1.14 on Wed Aug 27 11:36:49 CEST 2025.