UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface
Latest version: 2.2.7-1ubuntu0.2
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://rack.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby-rack"

All arch deb package
APT INSTALL

Other versions of "ruby-rack" in Noble

Repository Area Version
base main 2.2.7-1
updates main 2.2.7-1ubuntu0.2

Changelog

Version: 2.2.7-1ubuntu0.2 2025-03-25 07:06:55 UTC

  ruby-rack (2.2.7-1ubuntu0.2) noble-security; urgency=medium

  * SECURITY UPDATE: injection vulnerabilities
    - debian/patches/CVE-2025-25184.patch: Escape non-printable
      characters when logging.
    - debian/patches/CVE-2025-27111.patch: Use `#inspect` to prevent log
      injection.
    - CVE-2025-25184
    - CVE-2025-27111
  * SECURITY UPDATE: path traversal vulnerability
    - debian/patches/CVE-2025-27610.patch: Use a fully resolved file
      path when confirming if a file can be served by `Rack::Static`.
    - CVE-2025-27610

 -- Shishir Subedi <email address hidden> Fri, 14 Mar 2025 11:30:30 +0545
Source diff to previous version
CVE-2025-25184 Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited
CVE-2025-27111 Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacke
CVE-2025-27610 Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files unde

Version: 2.2.7-1ubuntu0.1 2024-06-17 15:07:14 UTC

  ruby-rack (2.2.7-1ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted content type headers
    - debian/patches/CVE-2024-25126.patch: avoid 2nd degree polynomial
      regexp in MediaType in lib/rack/media_type.rb.
    - CVE-2024-25126
  * SECURITY UPDATE: DoS via crafted Range headers
    - debian/patches/CVE-2024-26141.patch: return an empty array when
      ranges are too large in lib/rack/utils.rb, test/spec_utils.rb.
    - CVE-2024-26141
  * SECURITY UPDATE: Dos via crafted headers
    - debian/patches/CVE-2024-26146.patch: fix ReDoS in header parsing in
      lib/rack/utils.rb.
    - CVE-2024-26146

 -- Marc Deslauriers <email address hidden> Fri, 14 Jun 2024 13:15:36 -0400
CVE-2024-25126 Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expec
CVE-2024-26141 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Respo
CVE-2024-26146 Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a p


About   -   Send Feedback to @ubuntu_updates