Your message dated Thu, 30 Oct 2025 10:25:03 +0000
with message-id <[email protected]>
and subject line Bug#1117855: fixed in ruby-rack 3.1.18-1
has caused the Debian Bug report #1117855,
regarding ruby-rack: CVE-2025-61780
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.2.13-1~deb12u1
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-61780[0]:
| Rack is a modular Ruby web server interface. Prior to versions
| 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure
| vulnerability existed in `Rack::Sendfile` when running behind a
| proxy that supports `x-sendfile` headers (such as Nginx). Specially
| crafted headers could cause `Rack::Sendfile` to miscommunicate with
| the proxy and trigger unintended internal requests, potentially
| bypassing proxy-level access restrictions. When `Rack::Sendfile`
| received untrusted `x-sendfile-type` or `x-accel-mapping` headers
| from a client, it would interpret them as proxy configuration
| directives. This could cause the middleware to send a "redirect"
| response to the proxy, prompting it to reissue a new internal
| request that was not subject to the proxy's access controls. An
| attacker could exploit this by setting a crafted `x-sendfile-type:
| x-accel-redirect` header, setting a crafted `x-accel-mapping`
| header, and requesting a path that qualifies for proxy-based
| acceleration. Attackers could bypass proxy-enforced restrictions and
| access internal endpoints intended to be protected (such as
| administrative pages). The vulnerability did not allow arbitrary
| file reads but could expose sensitive application routes. This issue
| only affected systems meeting all of the following conditions: The
| application used `Rack::Sendfile` with a proxy that supports
| `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set
| or remove the `x-sendfile-type` and `x-accel-mapping` headers; and
| the application exposed an endpoint that returned a body responding
| to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18,
| or 3.2.3, which require explicit configuration to enable `x-accel-
| redirect`. Alternatively, configure the proxy to always set or strip
| the header, or in Rails applications, disable sendfile completely.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61780
https://www.cve.org/CVERecord?id=CVE-2025-61780
[1] https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
[2] https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
[3] https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
[4] https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.1.18-1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Oct 2025 08:52:58 +0100
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 3.1.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1117627 1117628 1117855 1117856
Changes:
ruby-rack (3.1.18-1) unstable; urgency=medium
.
* New upstream version 3.1.18.
- CVE-2025-61772: Multipart parser buffers unbounded per-part headers,
enabling DoS (memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large non‑file fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61770: Unbounded multipart preamble buffering enables DoS
(memory exhaustion).
- CVE-2025-61780 Improper handling of headers in Rack::Sendfile may
allow proxy bypass.
- CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead
to memory exhaustion.
- Closes: #1117855, #1117856, #1117627, #1117628
Checksums-Sha1:
144757b745f5523c1ed22675aa405b8e8548300a 2360 ruby-rack_3.1.18-1.dsc
f358e5c6c93492298cada4c1da6d7db167d161ab 796966 ruby-rack_3.1.18.orig.tar.gz
4b5ad32873c25eb7bf8cdff7bb3df07aa5ca28dd 7800 ruby-rack_3.1.18-1.debian.tar.xz
ae15d64c21c0683034d8b5937e8098182e3c46a1 15766
ruby-rack_3.1.18-1_source.buildinfo
Checksums-Sha256:
7ce053b4c003bfcd15e4246ad65dea5e52a90f4cafeb0883243dc0be48475adb 2360
ruby-rack_3.1.18-1.dsc
7d6d19dd11565706cd4eb0d3952ac0e54b21d0e197c68d4093ec56ebe860ff80 796966
ruby-rack_3.1.18.orig.tar.gz
572dd51e33f01697bba01f9f55d1482fabd8a821c20415a5d2ceb8fef3f208c2 7800
ruby-rack_3.1.18-1.debian.tar.xz
872a4bed3a9856a0163a386ec0dff4badfd40a371c7d4154ee65551ef109db42 15766
ruby-rack_3.1.18-1_source.buildinfo
Files:
686b96316b060a331f15a7af19bcbb99 2360 ruby optional ruby-rack_3.1.18-1.dsc
19b3825059eeb5f37aeba510663be6cd 796966 ruby optional
ruby-rack_3.1.18.orig.tar.gz
01449210c27ec843cce5540172234da4 7800 ruby optional
ruby-rack_3.1.18-1.debian.tar.xz
1ea96aa4dc670f5afe0459c417327e4e 15766 ruby optional
ruby-rack_3.1.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkDJWMTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLltZ6EADXO4uf5kcYdNa7xMTPiKYr4zmJ+U5Z
NFqfyRgRXMMYBB+D8D86/fgh1Hex7g81AK0/ruKUkE0exkevBwY834by9EYuyIco
XDhEgsjBuIsNFIcRupDBmeg9X17gnnt1Fb4jOCamTYOc/H9zR+Q09Cv3J0rGBbEM
eB2kFFH0kl1Z3OZXW1DzsSu2+KEHs8/Au1L3ga7zl2RtmYZ1WCR2GK7AOr0L4h2J
6rNaamqOtA/Y0+u9TatIgLYjt0OJbDU97j6h9YSVG9rx3Bu5QBSiCwtaT2gKevkh
OnuP/zGty4pkHgVoVxX420FKSsE1K5TRhAZ4J9I+tOscF0azyLyakufmyvEyh1qC
4SpmS7G8tLmV7+cLOuOsuxtzI9M0bZsln2Q56h0TMowhvL0puCiksXbs5bWVnr4B
6vc71VSPa3ZZk9CToD3B5gCH6u3YXhCD3deMgcnDEO7U1YnB2+xMu1mRReieEGcM
1qi2sKXgTdn7Yw1JpzhhRmgwovhGOEWYpqOeFc2qcXCl00mw5CzTDFAjO27L7nAQ
R2chxOCNDtl38BeOj/Lq2RjhjrIXz9Wrx3EZumy5Okz/mAzys+xI730qDcjFJ29m
EOYpe00y10JGMEAswTqS/QsVcUaAp6T6xJPiSRoCfRw8pIMnvy6rrFyW2dr2M+uF
Sj1QdlvsMLMY0w==
=SUl+
-----END PGP SIGNATURE-----
pgpX7IEYrGNOu.pgp
Description: PGP signature
--- End Message ---
