UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface

Latest version: 1.6.4-3ubuntu0.2
Release: xenial (16.04)
Level: updates
Repository: universe
Homepage: https://rack.github.io/

Links


Download "ruby-rack"


Other versions of "ruby-rack" in Xenial

Repository Area Version
base universe 1.6.4-3
security universe 1.6.4-3ubuntu0.2

Changelog

Version: 1.6.4-3ubuntu0.2 2021-04-06 13:07:09 UTC

  ruby-rack (1.6.4-3ubuntu0.2) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
      Dir[glob] to prevent user-specified glob metacharacters.
    - CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
      decode the values.
    - CVE-2020-8184

 -- Eduardo Barretto <email address hidden> Thu, 01 Apr 2021 12:43:47 +0200

Source diff to previous version
CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory a
CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an

Version: 1.6.4-3ubuntu0.1 2019-08-07 19:06:58 UTC

  ruby-rack (1.6.4-3ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Crafted requests can impact the data returned by the scheme
    method on Rack::Request leading to an XSS attack.
    - debian/patches/CVE-2018-16471.patch: whitelist http/https schemes.
    - CVE-2018-16471

 -- Eduardo Barretto <email address hidden> Tue, 06 Aug 2019 11:38:00 -0300

CVE-2018-16471 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method



About   -   Send Feedback to @ubuntu_updates