ruby-webrick - Debian Package Tracker

general

source: ruby-webrick (main)
version: 1.9.1-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Cédric Boutillier [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.8.1-1
stable: 1.9.1-1
testing: 1.9.1-1
unstable: 1.9.1-1

versioned links

1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-webrick

action needed

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 2be8309e227c2a5de3106e02dbbce78b8ff3e939
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Mon Aug 25 15:21:30 2025 +0000

    debian/gbp.conf: Add for DEP-14

Created: 2025-08-25 Last update: 2025-08-25 17:04

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-6442: (needs triaging) Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.
CVE-2024-47220: (needs triaging) An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-09-22 Last update: 2025-08-10 06:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-03-15 06:27

news

[rss feed]

[2025-03-17] ruby-webrick 1.9.1-1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted ruby-webrick 1.9.1-1 (source) into unstable (Hans-Christoph Steiner)
[2023-02-13] ruby-webrick 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-09] Accepted ruby-webrick 1.7.0-3~bpo11+2 (source all) into bullseye-backports (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2023-02-08] Accepted ruby-webrick 1.8.1-1 (source) into unstable (Cédric Boutillier)
[2022-09-15] ruby-webrick 1.7.0-4 MIGRATED to testing (Debian testing watch)
[2022-09-11] Accepted ruby-webrick 1.7.0-4 (source) into unstable (Antonio Terceiro)
[2021-12-01] ruby-webrick 1.7.0-3 MIGRATED to testing (Debian testing watch)
[2021-11-28] Accepted ruby-webrick 1.7.0-3 (source) into unstable (Cédric Boutillier)
[2021-11-19] ruby-webrick 1.7.0-2 MIGRATED to testing (Debian testing watch)
[2021-11-17] Accepted ruby-webrick 1.7.0-2 (source) into unstable (Cédric Boutillier)
[2021-10-15] Accepted ruby-webrick 1.7.0-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Cédric Boutillier)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.9.1-1