Your message dated Sat, 04 May 2024 21:17:14 +0000
with message-id <e1s3mks-00h5bk...@fasolo.debian.org>
and subject line Bug#1064516: fixed in ruby-rack 2.2.7-1.1
has caused the Debian Bug report #1064516,
regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-rack
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2024-26141[0]:
Reject Range headers which are too large
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
(v2.2.8.1)
CVE-2024-25126[1]:
Fixed ReDoS in Content Type header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
CVE-2024-26146[2]:
Fixed ReDoS in Accept header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
(v2.2.8.1)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26141
https://www.cve.org/CVERecord?id=CVE-2024-26141
[1] https://security-tracker.debian.org/tracker/CVE-2024-25126
https://www.cve.org/CVERecord?id=CVE-2024-25126
[2] https://security-tracker.debian.org/tracker/CVE-2024-26146
https://www.cve.org/CVERecord?id=CVE-2024-26146
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.2.7-1.1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2024 22:55:26 +0300
Source: ruby-rack
Architecture: source
Version: 2.2.7-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1064516
Changes:
ruby-rack (2.2.7-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2024-25126: ReDoS in Content Type header parsing
* CVE-2024-26141: Reject Range headers which are too large
* CVE-2024-26146: ReDoS in Accept header parsing
* Closes: #1064516
Checksums-Sha1:
f74ea2d462b8737d733fabf353e6c3d9797b2d84 2347 ruby-rack_2.2.7-1.1.dsc
5f0f4c3a182eba4c4066b011623f01053c8ebc8e 279222 ruby-rack_2.2.7.orig.tar.gz
6150b1489f5bbf7e4164c9da072976b3d3988d51 10932
ruby-rack_2.2.7-1.1.debian.tar.xz
Checksums-Sha256:
1dd5f94772d834d6b0f24d64d4890223f7fdc6c6b1248190acaf2e7726f3779d 2347
ruby-rack_2.2.7-1.1.dsc
e942379fba7a6aa18951973a95cc323c10af7aa7ff61207794bf6fea3ec822b4 279222
ruby-rack_2.2.7.orig.tar.gz
0bf5154539fdedd122ec3faef1f207681503559d0af4e348c29da701e31dda71 10932
ruby-rack_2.2.7-1.1.debian.tar.xz
Files:
d34fa63feef913c5426dfaa79cdaa82b 2347 ruby optional ruby-rack_2.2.7-1.1.dsc
09f5512b2919ceffc5ab777aebf0c88a 279222 ruby optional
ruby-rack_2.2.7.orig.tar.gz
946e35965f30969180924c81317cb52f 10932 ruby optional
ruby-rack_2.2.7-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYz8XMACgkQiNJCh6LY
mLFy/Q/+OEpOrUfoSpwiFtXW6q5qSRCeRMCFTn40LGI3Qtfn5r8Yrj9/cMh7XTIE
OBXyEItK6BO5InugVO8qBe89dC77aql4L5AcGcZYpOBySGjWd7+WBY7HLqWjjDN5
d3jVq/kYQnpgahh0NkN9wu6Pe+e5J9/OSXW2XRAuAfEi8hMcpJSMnKlUp79GTNVE
ht92LRprlftq4tkCMeB47gTQF16fTZHTsaN02rdN5yoTiGyw3IGto6+flMztzq5e
EDaK3AnMwYgkzmlKT/xSz6zKCNi9N51kuyOpcUHFvQ5WieLoHvQ9TOjrU5W4Gq8y
2oWTZmVbwn0r+SbKtzsUWGT2bB4Omun618yvqDcwMuLe+L7oHjdIdGDsWIVeT/o1
7p1OYoGjhfZbje6YG5ckb3CPaaeGbxDhy/Zo/Is82buU+kFG0nOPunYUpyyfXMk7
n6fqBt2Fup/iPA9JFL6J+Fu2TpC3UpA+Kr/2pEqFnxIdB2YhNNmY44qTdpfu6pKP
sK0xoTlAM+H0ZpKqkybAG737+06b3PrC7kpWEcnPNCXUs5vqoGM1R3AyBpcJvpCT
nVbU3G3yHX6dIIBuBZr7muR47UGio+WpWcN2/rt4uWC1eGqTVcUaVq67uBMoO9mF
slULPmr8fsVeUqtafo34S56rVLtTrar3kzZxAFIvvAcKB6iJoQs=
=beJv
-----END PGP SIGNATURE-----
pgp29or1jwSBd.pgp
Description: PGP signature
--- End Message ---
