Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. Reference: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1789557]
Upstream commit for this issue: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16254
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582