UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface

Latest version: 1.6.4-4ubuntu0.2
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://rack.github.io/

Links


Download "ruby-rack"


Other versions of "ruby-rack" in Bionic

Repository Area Version
base universe 1.6.4-4
updates universe 1.6.4-4ubuntu0.2

Changelog

Version: 1.6.4-4ubuntu0.2 2020-09-30 20:06:17 UTC

  ruby-rack (1.6.4-4ubuntu0.2) bionic-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
      Dir[glob] to prevent user-specified glob metacharacters.
    - CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
      decode the values.
    - CVE-2020-8184

 -- Eduardo Barretto <email address hidden> Wed, 30 Sep 2020 12:08:48 -0300

Source diff to previous version
CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory a
CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an

Version: 1.6.4-4ubuntu0.1 2019-08-07 18:06:18 UTC

  ruby-rack (1.6.4-4ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Crafted requests can impact the data returned by the scheme
    method on Rack::Request leading to an XSS attack.
    - debian/patches/CVE-2018-16471.patch: whitelist http/https schemes.
    - CVE-2018-16471

 -- Eduardo Barretto <email address hidden> Tue, 06 Aug 2019 11:20:40 -0300

CVE-2018-16471 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method



About   -   Send Feedback to @ubuntu_updates