Your message dated Sat, 25 May 2024 19:32:10 +0000
with message-id <e1sax7i-00ehki...@fasolo.debian.org>
and subject line Bug#1064516: fixed in ruby-rack 2.2.6.4-1+deb12u1
has caused the Debian Bug report #1064516,
regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-rack
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2024-26141[0]:
Reject Range headers which are too large
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
(v2.2.8.1)
CVE-2024-25126[1]:
Fixed ReDoS in Content Type header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
CVE-2024-26146[2]:
Fixed ReDoS in Accept header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
(v2.2.8.1)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26141
https://www.cve.org/CVERecord?id=CVE-2024-26141
[1] https://security-tracker.debian.org/tracker/CVE-2024-25126
https://www.cve.org/CVERecord?id=CVE-2024-25126
[2] https://security-tracker.debian.org/tracker/CVE-2024-26146
https://www.cve.org/CVERecord?id=CVE-2024-26146
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.2.6.4-1+deb12u1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2024 23:39:36 +0300
Source: ruby-rack
Architecture: source
Version: 2.2.6.4-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1064516
Changes:
ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-25126: ReDoS in Content Type header parsing
* CVE-2024-26141: Reject Range headers which are too large
* CVE-2024-26146: ReDoS in Accept header parsing
* Closes: #1064516
Checksums-Sha1:
59cfba059f5e804d0f88cbcf7e340facc8bf1351 2385 ruby-rack_2.2.6.4-1+deb12u1.dsc
c112aa25347c7eb7657ccde6a3c2315800cfef97 279212 ruby-rack_2.2.6.4.orig.tar.gz
88a2b1c2c9db017508d364d0e323104ccf791a08 10924
ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz
Checksums-Sha256:
137cdca52c7f1dfb0a3468018ddf09d145bc7155467d47e134d8872706f9ad53 2385
ruby-rack_2.2.6.4-1+deb12u1.dsc
3cae965f53c4d556fd3d919729dfb698e86b8b6507045096c635ef4cf998f14b 279212
ruby-rack_2.2.6.4.orig.tar.gz
5f374d8bf401898ac557cb2d3a124c050741472f490642454830b49b37671598 10924
ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz
Files:
b682b52017acf8a03824460b889e62a9 2385 ruby optional
ruby-rack_2.2.6.4-1+deb12u1.dsc
77b35ec78eda851646a0c2bfe0f91e9e 279212 ruby optional
ruby-rack_2.2.6.4.orig.tar.gz
9d43b6a5f8218baceb0cbc452c0f17d2 10924 ruby optional
ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY7ekEACgkQiNJCh6LY
mLEIxBAAq3QahDFUt6FGWwz76IRzvf+Vfl+g5nFPW1wkWPKMQZtJ5UDzaha2Qygc
pGtAC0dWteIFe3iQGQxP1AaPR++MkmdywV9+L92NL5j3L4P25UQ3yw8hsbQUxIE9
DsWocaT6/CC4310juwpdE7LG4zOHV8exod1pgGKENAv/xWTE+0XYfiX90lLHWWS4
xORnKt8hHElax2u8iRQQ9KS0JPAQBgm9lrAqpIlDRGF8d1Kiaay7WNwIFMhO6omT
TWfSfgrpEMwN8SYbNckWMAlcQlyXUzCjmThcJOt6ldrCVTxTE2NAPph3CkqpX1FZ
rhWzyqjaPetPvPe1mAcp4tA4cbzHMZVALk/ClNUgqmc6eR2dmCXZjNIzrdhlll70
jJvWm36YhjHSbFjVVllRIs+hQHP1fPsSkAsDGaX8zTw2+7sBRrrR+xjszkpje9yS
AepYDWstJMWkapnYfHZPzUOHa/bzuY60TCYsibkbvBiMJaM3SoDvj2+n2UlmyHno
fMu7VLVDcfxOK0mERLpsizbYOK17dlcQLXvZFfwU8LufZ6jyIrAmw2HQQYOqlV1j
ehiLwYOO6PbUKL60fBM46N3PdCcDfq5ujhhSAKAS7LQ9SjrYSLRwiHS0cAXsIvgD
De5+qXGCUq2n1i1YyUjFzfBkc2unN5RYx6Zsr1R/dALwNGroER4=
=PptZ
-----END PGP SIGNATURE-----
pgpq4t8woknNY.pgp
Description: PGP signature
--- End Message ---
