UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface

Latest version: 2.2.7-1.1ubuntu0.2
Release: oracular (24.10)
Level: updates
Repository: main
Homepage: https://rack.github.io/

Links


Download "ruby-rack"


Other versions of "ruby-rack" in Oracular

Repository Area Version
base main 2.2.7-1.1
security main 2.2.7-1.1ubuntu0.2

Changelog

Version: 2.2.7-1.1ubuntu0.2 2025-05-13 15:07:44 UTC

  ruby-rack (2.2.7-1.1ubuntu0.2) oracular-security; urgency=medium

  * SECURITY UPDATE: Race condition with authentication sessions.
    - debian/patches/CVE-2025-32441.patch: Add get_session_with_fallback()
      check and pool.store in ./lib/rack/session/pool.rb.
    - CVE-2025-32441
  * SECURITY UPDATE: Denial of service through large query parameters.
    - debian/patches/CVE-2025-46727.patch: Add query parameter limit and
      bytesize limit and corresponding checks in ./lib/rack/query_parser.rb.
    - CVE-2025-46727

 -- Hlib Korzhynskyy <email address hidden> Thu, 08 May 2025 15:33:25 -0230

Source diff to previous version
CVE-2025-32441 Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can
CVE-2025-46727 Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/

Version: 2.2.7-1.1ubuntu0.1 2025-03-25 09:07:08 UTC

  ruby-rack (2.2.7-1.1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: injection vulnerabilities
    - debian/patches/CVE-2025-25184.patch: Escape non-printable
      characters when logging.
    - debian/patches/CVE-2025-27111.patch: Use `#inspect` to prevent log
      injection.
    - CVE-2025-25184
    - CVE-2025-27111
  * SECURITY UPDATE: path traversal vulnerability
    - debian/patches/CVE-2025-27610.patch: Use a fully resolved file
      path when confirming if a file can be served by `Rack::Static`.
    - CVE-2025-27610

 -- Shishir Subedi <email address hidden> Fri, 14 Mar 2025 13:51:48 +0545

CVE-2025-25184 Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited
CVE-2025-27111 Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacke
CVE-2025-27610 Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files unde



About   -   Send Feedback to @ubuntu_updates