CVE-2011-3624

Name	CVE-2011-3624
Description	Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium
Debian Bugs	646020

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
ruby1.8	source	(unstable)	(unfixed)	low	646020
ruby1.9	source	(unstable)	(unfixed)	low	646020
ruby1.9.1	source	(unstable)	(unfixed)	low	646020

Notes

[lenny] - ruby1.8 <no-dsa> (Minor issue)
[squeeze] - ruby1.8 <no-dsa> (Minor issue)
[wheezy] - ruby1.8 <no-dsa> (Minor issue)
[lenny] - ruby1.9 <no-dsa> (Minor issue)
[squeeze] - ruby1.9.1 <no-dsa> (Minor issue, there seems to be no patch upstream)
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue)