Debian Patches

Status for ruby-webrick/1.9.2-2

Patch Description Author Forwarded Bugs Origin Last update
CVE-2026-38969.patch Only allow specific trailers Only allow trailers listed in the `Trailer` header. Even if listed
there, disallow the following names, based on Mozilla
recommendations:
.
```
content-encoding content-type content-range trailer authorization
set-cookie transfer-encoding content-length host cache-control
max-forwards te
```
.
There are probably additional ones we should disallow, but this
is a decent start.
.
Do not merge the header and trailer data. Parse the trailers into
a separate hash, and for allowed names, copy the value into the
headers hash.
.
This ignores invalid trailers instead of raising an exception,
which is preferable for backwards compatibility.
.
In order to get the new test to pass, make content_length return
nil instead of of raising a TypeError if no content length was
provided. Also, parse the content length as decimal instead of
trying to autodetect the radix.
Jeremy Evans <code@jeremyevans.net> yes debian upstream https://github.com/ruby/webrick/pull/199 2026-07-05

All known versions for source package 'ruby-webrick'

Links