UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface
Latest version: 2.2.7-1ubuntu0.7
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://rack.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby-rack"

All arch deb package
APT INSTALL

Other versions of "ruby-rack" in Noble

Repository Area Version
base main 2.2.7-1
updates main 2.2.7-1ubuntu0.7

Changelog

Version: 2.2.7-1ubuntu0.7 2026-04-16 19:08:30 UTC

  ruby-rack (2.2.7-1ubuntu0.7) noble-security; urgency=medium

  * SECURITY UPDATE: Security bypass in multipart parser
    - debian/patches/CVE-2026-26961.patch: Disallow boundary whitespace in
      lib/rack/multipart/parser.rb
    - CVE-2026-26961
  * SECURITY UPDATE: Denial of service in select_best_encoding
    - debian/patches/CVE-2026-34230.patch: Disregard subsequent wildcards
      when an acceptable encoding has been selected in lib/rack/utils.rb
    - CVE-2026-34230
  * SECURITY UPDATE: Permissive regular expression in Directory
    - debian/patches/CVE-2026-34763.patch: Escape root before evaluating regex
      in lib/rack/directory.rb
    - CVE-2026-34763
  * SECURITY UPDATE: Information disclosure in Static
    - debian/patches/CVE-2026-34785.patch: Check that paths start with the
      static root prefix rather than merely containing them in
      lib/rack/static.rb
    - CVE-2026-34785
  * SECURITY UPDATE: Security bypass in applicable_rules
    - debian/patches/CVE-2026-34786.patch: Decode path before parsing to avoid
      bypassing header rules in lib/rack/static.rb
    - CVE-2026-34786
  * SECURITY UPDATE: Denial of service in byte_ranges
    - debian/patches/CVE-2026-34826.patch: Add a max_ranges argument to
      byte_ranges in lib/rack/utils.rb
    - CVE-2026-34826
  * SECURITY UPDATE: Denial of service in Parser
    - debian/patches/CVE-2026-34829.patch: Set maximum value for
      content-length in lib/rack/multipart/parser.rb
    - CVE-2026-34829
  * SECURITY UPDATE: Permissive regular expression in map_accel_path
    - debian/patches/CVE-2026-34830.patch: Escape X-Accel-Mapping before
      interpreting as regular expression in lib/rack/sendfile.rb
    - CVE-2026-34830
  * SECURITY UPDATE: Improper handling of length in fail
    - debian/patches/CVE-2026-34831.patch: Set content-length to byte size
      rather than UTF-8 length in lib/rack/files.rb
    - CVE-2026-34831

 -- Kyle Kernick <email address hidden> Thu, 09 Apr 2026 09:57:37 -0600
Source diff to previous version
CVE-2026-26961 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter fro
CVE-2026-34230 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding
CVE-2026-34763 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path direc
CVE-2026-34785 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served
CVE-2026-34786 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rule
CVE-2026-34826 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header wi
CVE-2026-34829 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a Bo
CVE-2026-34830 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the
CVE-2026-34831 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header us

Version: 2.2.7-1ubuntu0.6 2026-02-26 15:07:48 UTC

  ruby-rack (2.2.7-1ubuntu0.6) noble-security; urgency=medium

  * SECURITY UPDATE: Directory Traversal Attack
    - debian/patches/CVE-2026-22860.patch: Prevent directory traversal
      via root prefix bypass
    - CVE-2026-22860
  * SECURITY UPDATE: XSS Injection
    - debian/patches/CVE-2026-25500.patch: Stop XSS injection via malicious
      filename in `Rack::Directory`
    - CVE-2026-25500

 -- Bruce Cable <email address hidden> Mon, 23 Feb 2026 10:20:36 +1100
Source diff to previous version
CVE-2026-22860 Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match o
CVE-2026-25500 Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where e

Version: 2.2.7-1ubuntu0.5 2026-01-16 18:13:15 UTC

  ruby-rack (2.2.7-1ubuntu0.5) noble-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - d/p/CVE-2025-61770-and-CVE-2025-61772.patch: Enforce a size limit for
      the preamble and multipart mime part header
    - d/p/CVE-2025-61771.patch: Limit amount of retained data when parsing
      multipart requests
    - CVE-2025-61770
    - CVE-2025-61772
    - CVE-2025-61771

  * SECURITY UPDATE: Information discloure using proxy bypass
    - debian/patches/CVE-2025-61780.patch: Fix handling of proxy headers
      (`HTTP_X_SENDFILE_TYPE` and `HTTP_X_ACCEL_MAPPING`) in Rack::Sendfile
    - CVE-2025-61780

  * SECURITY UPDATE: Denial of service through memory exhaustion
    - debian/patches/CVE-2025-61919.patch: Enforce form parameter limit
      using `query_parser.bytesize_limit` preventing unbounded read of
      `application/x-www-form-urlencoded` bodies
    - CVE-2025-61919

 -- Shishir Subedi <email address hidden> Mon, 01 Dec 2025 13:38:28 +0545
Source diff to previous version
CVE-2025-61770 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart p
CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data
CVE-2025-61771 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (
CVE-2025-61780 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in
CVE-2025-61919 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into mem

Version: 2.2.7-1ubuntu0.4 2025-09-29 21:07:09 UTC

  ruby-rack (2.2.7-1ubuntu0.4) noble-security; urgency=medium

  * SECURITY UPDATE: params_limit bypass using semicolon
    - debian/patches/CVE-2025-59830.patch: also count semicolons in
      lib/rack/query_parser.rb, test/spec_query_parser.rb.
    - CVE-2025-59830

 -- Marc Deslauriers <email address hidden> Fri, 26 Sep 2025 12:41:09 -0400
Source diff to previous version
CVE-2025-59830 Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &,

Version: 2.2.7-1ubuntu0.3 2025-05-13 14:08:19 UTC

  ruby-rack (2.2.7-1ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: Race condition with authentication sessions.
    - debian/patches/CVE-2025-32441.patch: Add get_session_with_fallback()
      check and pool.store in ./lib/rack/session/pool.rb.
    - CVE-2025-32441
  * SECURITY UPDATE: Denial of service through large query parameters.
    - debian/patches/CVE-2025-46727.patch: Add query parameter limit and
      bytesize limit and corresponding checks in ./lib/rack/query_parser.rb.
    - CVE-2025-46727

 -- Hlib Korzhynskyy <email address hidden> Thu, 08 May 2025 15:58:56 -0230
CVE-2025-32441 Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can
CVE-2025-46727 Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/


About   -   Send Feedback to @ubuntu_updates