Bug 1789556 (CVE-2019-16254)

Summary: CVE-2019-16254 ruby: HTTP response splitting in WEBrick
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amasferr, chazlett, hhorak, jorton, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.4.8, ruby 2.5.7, ruby 2.6.5, ruby 2.7.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 11:32:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1789557, 1791293, 1791294, 1791295, 1791296, 1791297, 1791298, 1954947, 1955050, 1957124, 2055231, 2055240    
Bug Blocks: 1789559    

Description Guilherme de Almeida Suckevicz 2020-01-09 19:38:18 UTC 
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Reference:
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
Comment 1 Guilherme de Almeida Suckevicz 2020-01-09 19:39:44 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1789557]
Comment 2 Marco Benatto 2020-01-15 13:16:24 UTC 
Upstream commit for this issue:

https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
Comment 4 errata-xmlrpc 2021-05-25 13:14:03 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
Comment 5 Product Security DevOps Team 2021-05-26 11:32:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16254
Comment 6 errata-xmlrpc 2021-06-03 11:25:53 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
Comment 7 errata-xmlrpc 2021-06-29 16:03:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
Comment 8 errata-xmlrpc 2021-06-29 16:04:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
Comment 9 errata-xmlrpc 2022-02-21 10:11:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
Comment 10 errata-xmlrpc 2022-02-21 10:11:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582