Your message dated Thu, 20 Mar 2025 08:01:44 +0100
with message-id <[email protected]>
and subject line Re: Accepted ruby-rack 3.1.12-1 (source) into unstable
has caused the Debian Bug report #1099546,
regarding ruby-rack: CVE-2025-27111
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099546: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.0.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-27111[0]:
| Rack is a modular Ruby web server interface. The Rack::Sendfile
| middleware logs unsanitised header values from the X-Sendfile-Type
| header. An attacker can exploit this by injecting escape sequences
| (such as newline characters) into the header, resulting in log
| injection. This vulnerability is fixed in 2.2.12, 3.0.13, and
| 3.1.11.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27111
https://www.cve.org/CVERecord?id=CVE-2025-27111
[1] https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.1.12-1
On Wed, Mar 19, 2025 at 04:42:18PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Wed, 19 Mar 2025 15:53:01 +0000
> Source: ruby-rack
> Architecture: source
> Version: 3.1.12-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Ruby Team
> <[email protected]>
> Changed-By: Blair Noctis <[email protected]>
> Changes:
> ruby-rack (3.1.12-1) unstable; urgency=medium
> .
> * Team upload
> * New upstream version 3.1.12
> * Drop obsolete B-Ds
> Checksums-Sha1:
> 21725324dbbf24ea2acd9ef15443a6a6049f778b 1763 ruby-rack_3.1.12-1.dsc
> 326a682ba4c6bc415f4cc4a34c80b554bcd98673 792241 ruby-rack_3.1.12.orig.tar.gz
> 16c2cf37d14bc56d362f1f39c36ac65b9b4af558 7464
> ruby-rack_3.1.12-1.debian.tar.xz
> 3ce03103485261ce24e16bd6138580cd5a8d3763 8374
> ruby-rack_3.1.12-1_amd64.buildinfo
> Checksums-Sha256:
> 49f3161492bd1788e0b9f37e4cafda46f0e7102fd3c48cbe28cb5b356e836f4c 1763
> ruby-rack_3.1.12-1.dsc
> e4ecfa3469a2eef8f041037b5b5cb6f3d042aa6d8489e246e10dcbb2f9e0c4ea 792241
> ruby-rack_3.1.12.orig.tar.gz
> e4485399096da94e37b715542fe53899687368ac93e5e6b8228fc588e2eaf8c2 7464
> ruby-rack_3.1.12-1.debian.tar.xz
> 7a7bf6bf87fb2805f014af61f65d0346bcbbe351ac2520210148d4ffdd89dee9 8374
> ruby-rack_3.1.12-1_amd64.buildinfo
> Files:
> bf0773642878ec64bb2fd53a6b9d6c1d 1763 ruby optional ruby-rack_3.1.12-1.dsc
> 5def99b7f9060da8363f6207bc7cb0bf 792241 ruby optional
> ruby-rack_3.1.12.orig.tar.gz
> 5c73599b7173033c34a97ed0c453c73e 7464 ruby optional
> ruby-rack_3.1.12-1.debian.tar.xz
> 9f0ffd1208ef71ca5974ce139e9f40eb 8374 ruby optional
> ruby-rack_3.1.12-1_amd64.buildinfo
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iIYEARYKAC4WIQScTWEJ927Sl0a/hB7sV97Kb1Pv6QUCZ9rqRhAcbmN0c0BkZWJp
> YW4ub3JnAAoJEOxX3spvU+/p4b0A/0FBSzavVq9lhqeSVuN4os0ZtSgRgBQISIVW
> WZuADFhOAP9AznT7dyIIMsSmZHM11kLUoU7jeDDsViCyt/Q1ThaKAg==
> =r2xn
> -----END PGP SIGNATURE-----
>
--- End Message ---
