Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does this relate to WEBrick that ships with Ruby? (asking for CVE-2009-4492) #89

Closed
G-Rath opened this issue Mar 3, 2022 · 6 comments
Closed

How does this relate to WEBrick that ships with Ruby? (asking for CVE-2009-4492) #89

G-Rath opened this issue Mar 3, 2022 · 6 comments

Comments

@G-Rath
Copy link

G-Rath commented Mar 3, 2022

I came across CVE-2009-4492 while working on a tool that uses the Github Advisory database, which doesn't have a fixed version in it's advisory data.

Based on postings here it has been fixed, but I can't find any reference to it here.

Ultimately I'm trying to determine if this is a case of mistaken identity (that the WEBrick pointed to by the advisory is not the one that had the security vulnerability) or otherwise what version this was fixed in so that I can update the advisory.

I suspect it was fixed in 1.3.1 based on database specific info, but want to confirm that before changing the advisory.
@hsbt
Copy link
Member

hsbt commented Mar 4, 2022

The current versioning is different from the year of CVE-2009-4492 published. The all of versions after Ruby 1.x are already resolved.

@hsbt hsbt closed this as completed Mar 4, 2022
@G-Rath
Copy link
Author

G-Rath commented Mar 4, 2022

@hsbt I was sort of hoping we could work to together to get this advisory improved, and unfortunately I don't quite understand how to do that with what you've just said.

Are you saying that all versions after v1 can be considered unaffected, or that just all versions of what's on RubyGems are fine as they came after the Ruby 1.x versions?

@G-Rath
Copy link
Author

G-Rath commented Mar 11, 2022

@hsbt have you had a chance to read over my reply? I'd really like to get the advisory corrected and would prefer to have confirmed things with a maintainer before I submit a change to the advisory.

@hsbt
Copy link
Member

hsbt commented Mar 11, 2022

What you want?

Webrick versioning is different from Ruby versioning. So, WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383 is different code with version of webrick-1.3.1. webrick-1.3.1 is the fixed version of Ruby 1.x to 2.4.x.

@jeremyevans
Copy link
Contributor

@G-Rath All released versions of Ruby after the versions listed in the advisory are fixed. Here's is the commit that fixed Ruby 1.8.6: ruby/ruby@576a349. If you unpack the webrick 1.3.1 gem downloaded from rubygems.org, you can see it already has the same fixes.

@G-Rath
Copy link
Author

G-Rath commented Mar 11, 2022

@hsbt @jeremyevans thanks for that info - for context, while I often work with Ruby/Rails I'm not super familiar with how versioning of gems in Ruby compare with what I assume is the same gem republished on RubyGems so sorry if I'm asking something really silly 😅

Primarily what I was finding confusing was the way the advisory listed "WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev " which meant I was unsure if it was referring to Ruby or WEBrick for those versions (though tbh re-reading it, I suspect I was overthinking it).

Thank you for helping me confirm this - I'll submit an improvement to the advisory marking all versions higher than 1.3.1 marked as fixed.

@G-Rath G-Rath mentioned this issue Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremyevans @hsbt @G-Rath