UbuntuUpdates.org

Package "ruby-rack"

Name: ruby-rack

Description:

modular Ruby webserver interface
Latest version: 2.1.4-5ubuntu1.2
Release: jammy (22.04)
Level: security
Repository: universe
Homepage: https://rack.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby-rack"

All arch deb package
APT INSTALL

Other versions of "ruby-rack" in Jammy

Repository Area Version
base universe 2.1.4-5ubuntu1
updates universe 2.1.4-5ubuntu1.2

Changelog

Version: 2.1.4-5ubuntu1.2 2026-01-15 07:07:48 UTC

  ruby-rack (2.1.4-5ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service through large query parameters.
    - debian/patches/CVE-2025-46727.patch: Add query parameter limit and
      bytesize limit and corresponding checks in ./lib/rack/query_parser.rb.
    - CVE-2025-46727

  * SECURITY UPDATE: Limited Denial of service
    - debian/patches/CVE-2025-59830.patch: Fix unbounded parameter parsing
      in `Rack::QueryParser` by counting both possible parameter separators
      (& and ;)
    - CVE-2025-59830

  * SECURITY UPDATE: Denial of service
    - d/p/CVE-2025-61770-and-CVE-2025-61772.patch: Enforce a size limit for
      the preamble and multipart mime part header
    - d/p/CVE-2025-61771.patch: Limit amount of retained data when parsing
      multipart requests
    - CVE-2025-61770
    - CVE-2025-61772
    - CVE-2025-61771

  * SECURITY UPDATE: Information discloure using proxy bypass
    - debian/patches/CVE-2025-61780.patch: Fix handling of proxy headers
      (`HTTP_X_SENDFILE_TYPE` and `HTTP_X_ACCEL_MAPPING`) in Rack::Sendfile
    - CVE-2025-61780

  * SECURITY UPDATE: Denial of service through memory exhaustion
    - debian/patches/CVE-2025-61919.patch: Enforce form parameter limit
      using `query_parser.bytesize_limit` preventing unbounded read of
      `application/x-www-form-urlencoded` bodies
    - CVE-2025-61919

 -- Shishir Subedi <email address hidden> Mon, 01 Dec 2025 12:58:36 +0545
Source diff to previous version
CVE-2025-46727 Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/
CVE-2025-59830 Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &,
CVE-2025-61770 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart p
CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data
CVE-2025-61771 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (
CVE-2025-61780 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in
CVE-2025-61919 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into mem

Version: 2.1.4-5ubuntu1.1 2024-09-26 07:06:47 UTC

  ruby-rack (2.1.4-5ubuntu1.1) jammy-security; urgency=high

  * SECURITY UPDATE: Outstanding CVEs patched upstream (LP: #2078711)
    - Following patches ported from debian bullseye (2.1.4-3+deb11u2)
    - CVE-2024-25126: ReDoS in Content Type header parsing
    - CVE-2024-26141: Reject Range headers which are too large
    - CVE-2024-26146: ReDoS in Accept header parsing
    - CVE-2022-30122: Add patch to restrict broken mime parsing.
    - CVE-2022-30123: Add patch to escape untrusted text when logging.
    - CVE-2022-44570: Add patch to fix ReDoS in Rack::Utils.get_byte_ranges.
    - CVE-2022-44571: Add patch to fix ReDoS vulnerability in multipart parser.
    - CVE-2022-44572: Add patch to forbid control characters in attributes.
    - CVE-2023-27530: Add patch to limit all multipart parts, not just files.
    - CVE-2023-27539: Add patch to avoid ReDoS problem.
  * Build test fix [ Bruce Cable <email address hidden> ]
    - fix-spec-mock-tests.patch: modifies expected value for build tests to
      pass

 -- Lissa Moriarty <email address hidden> Mon, 02 Sep 2024 15:46:12 +0100
2078711 Outstanding CVEs in ruby-rack
CVE-2024-25126 Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expec
CVE-2024-26141 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Respo
CVE-2024-26146 Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a p
CVE-2022-30122 A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
CVE-2022-30123 A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and Common
CVE-2022-44570 A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsin
CVE-2022-44571 There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This coul
CVE-2022-44572 A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker t
CVE-2023-27530 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an at


About   -   Send Feedback to @ubuntu_updates