On Fri, Oct 17, 2025 at 09:42:40PM +0200, Salvatore Bonaccorso wrote: > Source: ruby-sinatra > Version: 4.1.1-5 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > Control: found -1 4.1.1-6 > > Hi, > > The following vulnerability was published for ruby-sinatra. > > CVE-2025-61921[0]: > | Sinatra is a domain-specific language for creating web applications > | in Ruby. In versions prior to 4.2.0, there is a denial of service > | vulnerability in the `If-Match` and `If-None-Match` header parsing > | component of Sinatra, if the `etag` method is used when constructing > | the response. Carefully crafted input can cause `If-Match` and `If- > | None-Match` header parsing in Sinatra to take an unexpected amount > | of time, possibly resulting in a denial of service attack vector. > | This header is typically involved in generating the `ETag` header > | value. Any applications that use the `etag` method when generating a > | response are impacted. Version 4.2.0 fixes the issue. [...] > [2] https://github.com/sinatra/sinatra/issues/2120
The upstream issue says that this bug is only a problem on Ruby < 3.2, what means that only oldstable and older are actually affected. I'm uploading a new upstream version to unstable containing the fix, but this should be marked as not affecting stable. I also prepared a bookworm upload: the diff is attached. Please let me know if I can just upload that.
diff --git a/debian/changelog b/debian/changelog index 7c23102..cdb81b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ruby-sinatra (3.0.5-3+deb13u1) bookworm; urgency=high + + * Prevent Regexp DoS in ETag generation [CVE-2025-61921] (Closes: #1118290) + * debian/gbp.conf: point debian branch to debian/bookworm + + -- Antonio Terceiro <[email protected]> Sun, 19 Oct 2025 20:02:10 -0300 + ruby-sinatra (3.0.5-3) unstable; urgency=medium * Team upload diff --git a/debian/gbp.conf b/debian/gbp.conf index cec628c..e552daa 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/bookworm diff --git a/debian/patches/CVE-2025-61921.patch b/debian/patches/CVE-2025-61921.patch new file mode 100644 index 0000000..dcd4c95 --- /dev/null +++ b/debian/patches/CVE-2025-61921.patch @@ -0,0 +1,25 @@ +From: gecunps <[email protected]> +Date: Wed, 8 Oct 2025 11:15:08 +0800 +Subject: Fix regex to prevent redos + +This a backport of the original upstream patch. + +Signed-off-by: Antonio Terceiro <[email protected]> +Link: https://github.com/sinatra/sinatra/pull/2121 +--- + lib/sinatra/base.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb +index ba330a4..aeff9fd 100644 +--- a/lib/sinatra/base.rb ++++ b/lib/sinatra/base.rb +@@ -693,7 +693,7 @@ module Sinatra + def etag_matches?(list, new_resource = request.post?) + return !new_resource if list == '*' + +- list.to_s.split(/\s*,\s*/).include? response['ETag'] ++ list.to_s.split(',').map(&:strip).include?(response['ETag']) + end + + def with_params(temp_params) diff --git a/debian/patches/series b/debian/patches/series index 00beef1..a516274 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ i18n-fix.patch fix-relative-path.patch 0001-Tests-against-Haml-6.patch fix-test-broken-by-ruby-rack.patch +CVE-2025-61921.patch
signature.asc
Description: PGP signature
