Your message dated Thu, 20 Mar 2025 08:01:44 +0100
with message-id <[email protected]>
and subject line Re: Accepted ruby-rack 3.1.12-1 (source) into unstable
has caused the Debian Bug report #1098257,
regarding ruby-rack: CVE-2025-25184
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.0.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-25184[0]:
| Rack provides an interface for developing web applications in Ruby.
| Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can
| be exploited by crafting input that includes newline characters to
| manipulate log entries. The supplied proof-of-concept demonstrates
| injecting malicious content into logs. When a user provides the
| authorization credentials via Rack::Auth::Basic, if success, the
| username will be put in env['REMOTE_USER'] and later be used by
| Rack::CommonLogger for logging purposes. The issue occurs when a
| server intentionally or unintentionally allows a user creation with
| the username contain CRLF and white space characters, or the server
| just want to log every login attempts. If an attacker enters a
| username with CRLF character, the logger will log the malicious
| username with CRLF characters into the logfile. Attackers can break
| log formats or insert fraudulent entries, potentially obscuring real
| activity or injecting malicious data into log files. Versions
| 2.2.11, 3.0.12, and 3.1.10 contain a fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-25184
https://www.cve.org/CVERecord?id=CVE-2025-25184
[1] https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
[2] https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.1.12-1
On Wed, Mar 19, 2025 at 04:42:18PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Wed, 19 Mar 2025 15:53:01 +0000
> Source: ruby-rack
> Architecture: source
> Version: 3.1.12-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Ruby Team
> <[email protected]>
> Changed-By: Blair Noctis <[email protected]>
> Changes:
> ruby-rack (3.1.12-1) unstable; urgency=medium
> .
> * Team upload
> * New upstream version 3.1.12
> * Drop obsolete B-Ds
> Checksums-Sha1:
> 21725324dbbf24ea2acd9ef15443a6a6049f778b 1763 ruby-rack_3.1.12-1.dsc
> 326a682ba4c6bc415f4cc4a34c80b554bcd98673 792241 ruby-rack_3.1.12.orig.tar.gz
> 16c2cf37d14bc56d362f1f39c36ac65b9b4af558 7464
> ruby-rack_3.1.12-1.debian.tar.xz
> 3ce03103485261ce24e16bd6138580cd5a8d3763 8374
> ruby-rack_3.1.12-1_amd64.buildinfo
> Checksums-Sha256:
> 49f3161492bd1788e0b9f37e4cafda46f0e7102fd3c48cbe28cb5b356e836f4c 1763
> ruby-rack_3.1.12-1.dsc
> e4ecfa3469a2eef8f041037b5b5cb6f3d042aa6d8489e246e10dcbb2f9e0c4ea 792241
> ruby-rack_3.1.12.orig.tar.gz
> e4485399096da94e37b715542fe53899687368ac93e5e6b8228fc588e2eaf8c2 7464
> ruby-rack_3.1.12-1.debian.tar.xz
> 7a7bf6bf87fb2805f014af61f65d0346bcbbe351ac2520210148d4ffdd89dee9 8374
> ruby-rack_3.1.12-1_amd64.buildinfo
> Files:
> bf0773642878ec64bb2fd53a6b9d6c1d 1763 ruby optional ruby-rack_3.1.12-1.dsc
> 5def99b7f9060da8363f6207bc7cb0bf 792241 ruby optional
> ruby-rack_3.1.12.orig.tar.gz
> 5c73599b7173033c34a97ed0c453c73e 7464 ruby optional
> ruby-rack_3.1.12-1.debian.tar.xz
> 9f0ffd1208ef71ca5974ce139e9f40eb 8374 ruby optional
> ruby-rack_3.1.12-1_amd64.buildinfo
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iIYEARYKAC4WIQScTWEJ927Sl0a/hB7sV97Kb1Pv6QUCZ9rqRhAcbmN0c0BkZWJp
> YW4ub3JnAAoJEOxX3spvU+/p4b0A/0FBSzavVq9lhqeSVuN4os0ZtSgRgBQISIVW
> WZuADFhOAP9AznT7dyIIMsSmZHM11kLUoU7jeDDsViCyt/Q1ThaKAg==
> =r2xn
> -----END PGP SIGNATURE-----
>
--- End Message ---
