Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2026-03-04 21:11:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.561 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Wed Mar 4 21:11:32 2026 rev:20 rq:1336412 version:2.2.22
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2025-11-25 17:25:28.588379565 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.561/rubygem-rack-2.2.changes
2026-03-04 21:11:50.056833516 +0100
@@ -1,0 +2,8 @@
+Wed Mar 4 12:30:29 UTC 2026 - Jay Michalska <[email protected]>
+
+- Update to version 2.2.22
+
+ * [CVE-2026-25500] XSS injection via malicious filename in Rack::Directory.
+ * [CVE-2026-22860] Directory traversal via root prefix bypass in
Rack::Directory.
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.21.gem
New:
----
rack-2.2.22.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.3ML4Ap/_old 2026-03-04 21:11:51.120877162 +0100
+++ /var/tmp/diff_new_pack.3ML4Ap/_new 2026-03-04 21:11:51.124877326 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.21
+Version: 2.2.22
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-2.2.21.gem -> rack-2.2.22.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
+++ new/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
@@ -2,6 +2,13 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## Unreleased
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS
injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh)
Directory traversal via root prefix bypass in `Rack::Directory`.
+
## [2.2.21] - 2025-11-03
### Fixed
@@ -15,13 +22,6 @@
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper
handling of headers in `Rack::Sendfile` may allow proxy bypass.
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm)
Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
-## [2.2.20] - 2025-11-03
-
-### Fixed
-
-- Multipart parser: limit MIME header size check to the unread buffer region
to avoid false `multipart mime part header too large` errors when previously
read data accumulates in the scan buffer.
([#2392](https://github.com/rack/rack/pull/2392),
[@alpaca-tc](https://github.com/alpaca-tc),
[@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
-
-
## [2.2.19] - 2025-10-07
### Security
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/directory.rb new/lib/rack/directory.rb
--- old/lib/rack/directory.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/directory.rb 1980-01-02 01:00:00.000000000 +0100
@@ -11,7 +11,7 @@
# If +app+ is not specified, a Rack::Files of the same +root+ will be used.
class Directory
- DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td
class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
+ DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td
class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
DIR_PAGE_HEADER = <<-PAGE
<html><head>
<title>%s</title>
@@ -76,6 +76,7 @@
# Set the root directory and application for serving files.
def initialize(root, app = nil)
@root = ::File.expand_path(root)
+ @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root :
"#{@root}#{::File::SEPARATOR}"
@app = app || Files.new(@root)
@head = Head.new(method(:get))
end
@@ -112,7 +113,9 @@
# Rack response to use for requests with paths outside the root, or nil if
path is inside the root.
def check_forbidden(path_info)
return unless path_info.include? ".."
- return if ::File.expand_path(::File.join(@root,
path_info)).start_with?(@root)
+
+ expanded_path = ::File.expand_path(::File.join(@root, path_info))
+ return if expanded_path == @root ||
expanded_path.start_with?(@root_with_separator)
body = "Forbidden\n"
[403, { CONTENT_TYPE => "text/plain",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.21"
+ RELEASE = "2.2.22"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 1980-01-02 01:00:00.000000000 +0100
+++ new/metadata 1980-01-02 01:00:00.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.21
+ version: 2.2.22
platform: ruby
authors:
- Leah Neukirchen
@@ -182,7 +182,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
specification_version: 4
summary: A modular Ruby webserver interface.
test_files: []
