Package "ruby-rack"

Name:	ruby-rack
Description:	modular Ruby webserver interface
Latest version:	3.1.16-0.1ubuntu0.3
Release:	questing (25.10)
Level:	updates
Repository:	main
Homepage:	https://rack.github.io/

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Download "ruby-rack"

All arch deb package

APT INSTALL

Other versions of "ruby-rack" in Questing

Repository	Area	Version
base	main	3.1.16-0.1
security	main	3.1.16-0.1ubuntu0.2

Changelog

Version: 3.1.16-0.1ubuntu0.3 2026-04-16 20:08:32 UTC

ruby-rack (3.1.16-0.1ubuntu0.3) questing-security; urgency=medium * SECURITY UPDATE: Security bypass in multipart parser - debian/patches/CVE-2026-26961.patch: Disallow boundary whitespace in lib/rack/multipart/parser.rb - CVE-2026-26961 * SECURITY UPDATE: Header injection in multipart parser - debian/patches/CVE-2026-26962.patch: Enforce OBS unfolding in lib/rack/multipart/parser.rb - CVE-2026-26962 * SECURITY UPDATE: Improper header parsing in forwarded_values - debian/patches/CVE-2026-32762.patch: Properly parse forwarded header in lib/rack/utils.rb - CVE-2026-32762 * SECURITY UPDATE: Denial of service in select_best_encoding - debian/patches/CVE-2026-34230.patch: Disregard subsequent wildcards when an acceptable encoding has been selected in lib/rack/utils.rb - CVE-2026-34230 * SECURITY UPDATE: Permissive regular expression in Directory - debian/patches/CVE-2026-34763.patch: Escape root before evaluating regex in lib/rack/directory.rb - CVE-2026-34763 * SECURITY UPDATE: Information disclosure in Static - debian/patches/CVE-2026-34785.patch: Check that paths start with the static root prefix rather than merely containing them in lib/rack/static.rb - CVE-2026-34785 * SECURITY UPDATE: Security bypass in applicable_rules - debian/patches/CVE-2026-34786.patch: Decode path before parsing to avoid bypassing header rules in lib/rack/static.rb - CVE-2026-34786 * SECURITY UPDATE: Denial of service in byte_ranges - debian/patches/CVE-2026-34826.patch: Add a max_ranges argument to byte_ranges in lib/rack/utils.rb - CVE-2026-34826 * SECURITY UPDATE: Denial of service in Parser - debian/patches/CVE-2026-34827.patch: Set maximum quoted escapes in lib/rack/multipart/parser.rb - debian/patches/CVE-2026-34829.patch: Set maximum value for content-length in lib/rack/multipart/parser.rb - CVE-2026-34827 - CVE-2026-34829 * SECURITY UPDATE: Permissive regular expression in map_accel_path - debian/patches/CVE-2026-34830.patch: Escape X-Accel-Mapping before interpreting as regular expression in lib/rack/sendfile.rb - CVE-2026-34830 * SECURITY UPDATE: Improper handling of length in fail - debian/patches/CVE-2026-34831.patch: Set content-length to byte size rather than UTF-8 length in lib/rack/files.rb - CVE-2026-34831 * SECURITY UPDATE: Security bypass in AUTHORITY - debian/patches/CVE-2026-34835.patch: Only match legal characters in hostname in lib/rack/request.rb - CVE-2026-34835 -- Kyle Kernick <email address hidden> Wed, 08 Apr 2026 17:17:35 -0600

Source diff to previous version

CVE-2026-26961	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter fro
CVE-2026-26962	Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part header
CVE-2026-32762	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parse
CVE-2026-34230	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding
CVE-2026-34763	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path direc
CVE-2026-34785	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served
CVE-2026-34786	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rule
CVE-2026-34826	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header wi
CVE-2026-34827	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mi
CVE-2026-34829	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a Bo
CVE-2026-34830	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the
CVE-2026-34831	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header us
CVE-2026-34835	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host hea

Version: 3.1.16-0.1ubuntu0.2 2026-02-26 02:07:39 UTC

ruby-rack (3.1.16-0.1ubuntu0.2) questing-security; urgency=medium * SECURITY UPDATE: Directory Traversal Attack - debian/patches/CVE-2026-22860.patch: Prevent directory traversal via root prefix bypass - CVE-2026-22860 * SECURITY UPDATE: XSS Injection - debian/patches/CVE-2026-25500.patch: Stop XSS injection via malicious filename in `Rack::Directory` - CVE-2026-25500 -- Bruce Cable <email address hidden> Mon, 23 Feb 2026 10:20:37 +1100

Source diff to previous version

CVE-2026-22860	Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match o
CVE-2026-25500	Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where e

Version: 3.1.16-0.1ubuntu0.1 2026-01-15 10:07:41 UTC

ruby-rack (3.1.16-0.1ubuntu0.1) questing-security; urgency=medium * SECURITY UPDATE: Denial of service - d/p/CVE-2025-61770-and-CVE-2025-61772.patch: Enforce a size limit for the preamble and multipart mime part header - d/p/CVE-2025-61771.patch: Limit amount of retained data when parsing multipart requests - CVE-2025-61770 - CVE-2025-61772 - CVE-2025-61771 * SECURITY UPDATE: Information discloure using proxy bypass - debian/patches/CVE-2025-61780.patch: Fix handling of proxy headers (`HTTP_X_SENDFILE_TYPE` and `HTTP_X_ACCEL_MAPPING`) in Rack::Sendfile - CVE-2025-61780 * SECURITY UPDATE: Denial of service through memory exhaustion - debian/patches/CVE-2025-61919.patch: Enforce form parameter limit using `query_parser.bytesize_limit` preventing unbounded read of `application/x-www-form-urlencoded` bodies - CVE-2025-61919 -- Shishir Subedi <email address hidden> Mon, 01 Dec 2025 13:19:26 +0545

CVE-2025-61770	Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart p
CVE-2025-61772	Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data
CVE-2025-61771	Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (
CVE-2025-61780	Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in
CVE-2025-61919	Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into mem

About - Send Feedback to @ubuntu_updates

Package "ruby-rack"

Links

Download "ruby-rack"

Other versions of "ruby-rack" in Questing

Changelog

Share this page

Bookmarks

Latest updates

proposed

base

PPA updates