Source: ruby-protocol-http1 Version: 0.14.6-1 Severity: important Tags: security upstream Forwarded: https://github.com/socketry/protocol-http1/pull/20 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-protocol-http1. CVE-2023-38697[0]: | protocol-http1 provides a low-level implementation of the HTTP/1 | protocol. RFC 9112 Section 7.1 defined the format of chunk size, | chunk data and chunk extension. The value of Content-Length header | should be a string of 0-9 digits, the chunk size should be a string | of hex digits and should split from chunk data using CRLF, and the | chunk extension shouldn't contain any invisible character. However, | Falcon has following behaviors while disobey the corresponding RFCs: | accepting Content-Length header values that have `+` prefix, | accepting Content-Length header values that written in hexadecimal | with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and | accepting LF in chunk extension. This behavior can lead to desync | when forwarding through multiple HTTP parsers, potentially results | in HTTP request smuggling and firewall bypassing. This issue is | fixed in `protocol-http1` v0.15.1. There are no known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38697 https://www.cve.org/CVERecord?id=CVE-2023-38697 [1] https://github.com/socketry/protocol-http1/pull/20 [2] https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj [3] https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd Please adjust the affected versions in the BTS as needed. Regards, Salvatore
