Your message dated Sat, 01 Nov 2025 19:35:34 +0000
with message-id <[email protected]>
and subject line Bug#1043432: fixed in ruby-protocol-http1 0.35.2-1
has caused the Debian Bug report #1043432,
regarding ruby-protocol-http1: CVE-2023-38697
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1043432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043432
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-protocol-http1
Version: 0.14.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/socketry/protocol-http1/pull/20
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-protocol-http1.
CVE-2023-38697[0]:
| protocol-http1 provides a low-level implementation of the HTTP/1
| protocol. RFC 9112 Section 7.1 defined the format of chunk size,
| chunk data and chunk extension. The value of Content-Length header
| should be a string of 0-9 digits, the chunk size should be a string
| of hex digits and should split from chunk data using CRLF, and the
| chunk extension shouldn't contain any invisible character. However,
| Falcon has following behaviors while disobey the corresponding RFCs:
| accepting Content-Length header values that have `+` prefix,
| accepting Content-Length header values that written in hexadecimal
| with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and
| accepting LF in chunk extension. This behavior can lead to desync
| when forwarding through multiple HTTP parsers, potentially results
| in HTTP request smuggling and firewall bypassing. This issue is
| fixed in `protocol-http1` v0.15.1. There are no known workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38697
https://www.cve.org/CVERecord?id=CVE-2023-38697
[1] https://github.com/socketry/protocol-http1/pull/20
[2]
https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj
[3]
https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-protocol-http1
Source-Version: 0.35.2-1
Done: Simon Quigley <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-protocol-http1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Quigley <[email protected]> (supplier of updated ruby-protocol-http1
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 01 Nov 2025 13:56:22 -0500
Source: ruby-protocol-http1
Built-For-Profiles: noudeb
Architecture: source
Version: 0.35.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Simon Quigley <[email protected]>
Closes: 1043432
Changes:
ruby-protocol-http1 (0.35.2-1) unstable; urgency=medium
.
* Team upload.
* Use GitHub for the watch file.
* New upstream release.
- Patches CVE-2023-38697 (Closes: #1043432).
* Drop {XS,XB}-Ruby-Versions from control.
* Reorganize build dependencies.
Checksums-Sha1:
62d4b035f9b1735e6c2e5e0938bb70651fd124c0 2185 ruby-protocol-http1_0.35.2-1.dsc
72b37d569f2b67e53601cfcf2277ae560fa21cf0 30358
ruby-protocol-http1_0.35.2.orig.tar.gz
9c4a8094a821a83eb1547e82ecc0d6b24684aa6f 3024
ruby-protocol-http1_0.35.2-1.debian.tar.xz
38c6b909c6a6e83aef4d2acbcfb6f48a88e51867 14227
ruby-protocol-http1_0.35.2-1_source.buildinfo
Checksums-Sha256:
7386dca57349d6af2fb4d5c7b2a8cb73a732a18246688ad24d367dfcb7ac3122 2185
ruby-protocol-http1_0.35.2-1.dsc
f5a280ccc14f573ec5a42dd99c39abeb10686e5cad92ebb10a45dcc958dd383c 30358
ruby-protocol-http1_0.35.2.orig.tar.gz
daf153afba3638c0f07652ee9489255e5066f6b930a861b4bcd0a5d8cb27efd1 3024
ruby-protocol-http1_0.35.2-1.debian.tar.xz
7b70cb02e3dbb98aafeb59113bfa17d0934e8abbf89fcd86acb13687d570787d 14227
ruby-protocol-http1_0.35.2-1_source.buildinfo
Files:
2c5e7dd4838ba99f5ee09f37f2a8afed 2185 ruby optional
ruby-protocol-http1_0.35.2-1.dsc
55c9b7b7a3b92e87f1352c7381445a36 30358 ruby optional
ruby-protocol-http1_0.35.2.orig.tar.gz
e4a30ffd85c789f9a2e4c5fb52e484f8 3024 ruby optional
ruby-protocol-http1_0.35.2-1.debian.tar.xz
18e2290461fe9ab639b6868dc6334a15 14227 ruby optional
ruby-protocol-http1_0.35.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmkGV/kACgkQ4n8s+EWM
L6QBBhAAo0h7qndbD3N/4AVW640doXd5bs3W7cvKSxjfuKH0IQV+KhLF9l7EMEjh
/9bOrxQqYGO0U4Y02Kf+G+qb9Ona1+1FCi9W7KLCHiPY80vwO1riUCEAY7i+aPYQ
F4yxze+gpIUV4aNYwL4fQ2QU+Zm42357bWMB/qPCjOAhMEYtK9zXFUK8MsxJZ+Yh
Z8QpmOjyEj373NSwhb2kytj3oAGFFEptlcHMy4iu+LhJFSsnLsN8fu/wiBL/Me8G
crg7pym3j+w/qRBIBum4Bb3o4gxEfz7OqOWapGnYfcMe2EQCPvANC4/cc/MN/Ikc
fhcQJZwPVRHhRVBFwDHDOej/qPAnR0aGzKiNyNntQVDisSJiDbJtj/aX0QJce4OP
0I0vtyiMYHB1JWSN6OV3JEu8TlS/CL4qjmx7HZ0cL5zNReHmf7hGaVEIlacuPw/a
RYS/IW1xBGfJIr9J5xXcKOuO7pk1Y9e0f5Gpxur0TzWDfAV6l0txozpyqGed4fLI
/VtxqQQiY3mT72a+2PPhfDLYFLpWJXqYXvxMSq3xeJyGC7qMrZeGIltO4cqpqLjN
ymcU/2gRTICTQY9ZcIbfvfnSl3Ye8N1zynXvdckG/UnLqWvmB9AUB1g+WZA46ygM
fzh5GSpjXfLF2oS1pdYmwRxceUSFgTcSls81vJc9D10LHxcvFdc=
=W5N2
-----END PGP SIGNATURE-----
pgp8BABZxefx0.pgp
Description: PGP signature
--- End Message ---
