Hi Antonio, On Sun, Oct 19, 2025 at 08:08:54PM -0300, Antonio Terceiro wrote: > On Fri, Oct 17, 2025 at 09:42:40PM +0200, Salvatore Bonaccorso wrote: > > Source: ruby-sinatra > > Version: 4.1.1-5 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > Control: found -1 4.1.1-6 > > > > Hi, > > > > The following vulnerability was published for ruby-sinatra. > > > > CVE-2025-61921[0]: > > | Sinatra is a domain-specific language for creating web applications > > | in Ruby. In versions prior to 4.2.0, there is a denial of service > > | vulnerability in the `If-Match` and `If-None-Match` header parsing > > | component of Sinatra, if the `etag` method is used when constructing > > | the response. Carefully crafted input can cause `If-Match` and `If- > > | None-Match` header parsing in Sinatra to take an unexpected amount > > | of time, possibly resulting in a denial of service attack vector. > > | This header is typically involved in generating the `ETag` header > > | value. Any applications that use the `etag` method when generating a > > | response are impacted. Version 4.2.0 fixes the issue. > [...] > > [2] https://github.com/sinatra/sinatra/issues/2120 > > The upstream issue says that this bug is only a problem on Ruby < 3.2, > what means that only oldstable and older are actually affected. > > I'm uploading a new upstream version to unstable containing the fix, > but this should be marked as not affecting stable.
Thanks for the update. This would be a perfect candidate for the future nonissue state (as the source is applicable). I have marked it as "ignored" (only a problem together with Ruby < 3.2). > I also prepared a bookworm upload: the diff is attached. Please let me > know if I can just upload that. We did mark it no-dsa, so can you prepare a point release udpate for that? Note one comment below: > diff --git a/debian/changelog b/debian/changelog > index 7c23102..cdb81b8 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +ruby-sinatra (3.0.5-3+deb13u1) bookworm; urgency=high The Version should be 3.0.5-3+deb12u1 here for bookworm. Regards, Salvatore
