Debian Patches
Status for ruby-webrick/1.9.2-2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-38969.patch | Only allow specific trailers Only allow trailers listed in the `Trailer` header. Even if listed there, disallow the following names, based on Mozilla recommendations: . ``` content-encoding content-type content-range trailer authorization set-cookie transfer-encoding content-length host cache-control max-forwards te ``` . There are probably additional ones we should disallow, but this is a decent start. . Do not merge the header and trailer data. Parse the trailers into a separate hash, and for allowed names, copy the value into the headers hash. . This ignores invalid trailers instead of raising an exception, which is preferable for backwards compatibility. . In order to get the new test to pass, make content_length return nil instead of of raising a TypeError if no content length was provided. Also, parse the content length as decimal instead of trying to autodetect the radix. |
Jeremy Evans <code@jeremyevans.net> | yes | debian upstream | https://github.com/ruby/webrick/pull/199 | 2026-07-05 |
