UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface
Latest version: 3.1.16-0.1ubuntu0.1
Release: questing (25.10)
Level: security
Repository: main
Homepage: https://rack.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby-rack"

All arch deb package
APT INSTALL

Other versions of "ruby-rack" in Questing

Repository Area Version
base main 3.1.16-0.1
updates main 3.1.16-0.1ubuntu0.1

Changelog

Version: 3.1.16-0.1ubuntu0.1 2026-01-15 07:07:51 UTC

  ruby-rack (3.1.16-0.1ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - d/p/CVE-2025-61770-and-CVE-2025-61772.patch: Enforce a size limit for
      the preamble and multipart mime part header
    - d/p/CVE-2025-61771.patch: Limit amount of retained data when parsing
      multipart requests
    - CVE-2025-61770
    - CVE-2025-61772
    - CVE-2025-61771

  * SECURITY UPDATE: Information discloure using proxy bypass
    - debian/patches/CVE-2025-61780.patch: Fix handling of proxy headers
      (`HTTP_X_SENDFILE_TYPE` and `HTTP_X_ACCEL_MAPPING`) in Rack::Sendfile
    - CVE-2025-61780

  * SECURITY UPDATE: Denial of service through memory exhaustion
    - debian/patches/CVE-2025-61919.patch: Enforce form parameter limit
      using `query_parser.bytesize_limit` preventing unbounded read of
      `application/x-www-form-urlencoded` bodies
    - CVE-2025-61919

 -- Shishir Subedi <email address hidden> Mon, 01 Dec 2025 13:19:26 +0545
CVE-2025-61770 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart p
CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data
CVE-2025-61771 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (
CVE-2025-61780 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in
CVE-2025-61919 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into mem


About   -   Send Feedback to @ubuntu_updates