Bug 1152992 (CVE-2019-16254)

Summary: VUL-0: CVE-2019-16254: ruby2.5,ruby,ruby2.1: HTTP response splitting in WEBrick (Additional fix)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Rückert <mrueckert>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cathy.hu, mrueckert, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/244173/
Whiteboard: CVSSv3:SUSE:CVE-2019-16254:6.8:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-10-04 06:03:26 UTC
CVE-2019-16254

https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/



CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)

Posted by mame on 1 Oct 2019

There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254.
Details

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

All users running an affected release should upgrade immediately.
Affected Versions

    All releases that are Ruby 2.3 or earlier
    Ruby 2.4 series: Ruby 2.4.7 or earlier
    Ruby 2.5 series: Ruby 2.5.6 or earlier
    Ruby 2.6 series: Ruby 2.6.4 or earlier
    Ruby 2.7.0-preview1
    prior to master commit 3ce238b5f9795581eb84114dcfbdf4aa086bfecc

Acknowledgement

Thanks to znz for discovering this issue.
History

    Originally published at 2019-10-01 11:00:00 (UTC)
Comment 2 Swamp Workflow Management 2020-03-20 17:14:10 UTC
SUSE-SU-2020:0737-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1140844,1152990,1152992,1152994,1152995,1162396,1164804
CVE References: CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    ruby2.5-2.5.7-4.8.1
SUSE Linux Enterprise Server 15-LTSS (src):    ruby2.5-2.5.7-4.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ruby2.5-2.5.7-4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ruby2.5-2.5.7-4.8.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    ruby2.5-2.5.7-4.8.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    ruby2.5-2.5.7-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2020-03-28 23:16:52 UTC
openSUSE-SU-2020:0395-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1140844,1152990,1152992,1152994,1152995,1162396,1164804
CVE References: CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130
Sources used:
openSUSE Leap 15.1 (src):    ruby2.5-2.5.7-lp151.4.6.1
Comment 5 Swamp Workflow Management 2020-06-09 13:23:52 UTC
SUSE-SU-2020:1570-1: An update that fixes 42 vulnerabilities is now available.

Category: security (important)
Bug References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275
CVE References: CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 7 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Enterprise Storage 5 (src):    ruby2.1-2.1.9-19.3.2
HPE Helion Openstack 8 (src):    ruby2.1-2.1.9-19.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Stoyan Manolov 2022-09-30 12:44:41 UTC
After careful consideration on our end, we have come to the decision that backporting this fix is neither technically not economically feasible. Please reach out to security@suse.de in case of any questions.