Your message dated Thu, 30 Oct 2025 10:25:03 +0000
with message-id <[email protected]>
and subject line Bug#1117628: fixed in ruby-rack 3.1.18-1
has caused the Debian Bug report #1117628,
regarding ruby-rack: CVE-2025-61771
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-61771[0]:
| Rack is a modular Ruby web server interface. In versions prior to
| 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file
| form fields (parts without a `filename`) entirely in memory as Ruby
| `String` objects. A single large text field in a multipart/form-data
| request (hundreds of megabytes or more) can consume equivalent process
| memory, potentially leading to out-of-memory (OOM) conditions and
| denial of service (DoS). Attackers can send large non-file fields to
| trigger excessive memory usage. Impact scales with request size and
| concurrency, potentially leading to worker crashes or severe
| garbage-collection overhead. All Rack applications processing
| multipart form submissions are affected. Versions 2.2.19, 3.1.17, and
| 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB).
| Workarounds include restricting maximum request body size at the
| web-server or proxy layer (e.g., Nginx `client_max_body_size`) and
| validating and rejecting unusually large form fields at the
| application level.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61771
https://www.cve.org/CVERecord?id=CVE-2025-61771
[1] https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.1.18-1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Oct 2025 08:52:58 +0100
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 3.1.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1117627 1117628 1117855 1117856
Changes:
ruby-rack (3.1.18-1) unstable; urgency=medium
.
* New upstream version 3.1.18.
- CVE-2025-61772: Multipart parser buffers unbounded per-part headers,
enabling DoS (memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large non‑file fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61770: Unbounded multipart preamble buffering enables DoS
(memory exhaustion).
- CVE-2025-61780 Improper handling of headers in Rack::Sendfile may
allow proxy bypass.
- CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead
to memory exhaustion.
- Closes: #1117855, #1117856, #1117627, #1117628
Checksums-Sha1:
144757b745f5523c1ed22675aa405b8e8548300a 2360 ruby-rack_3.1.18-1.dsc
f358e5c6c93492298cada4c1da6d7db167d161ab 796966 ruby-rack_3.1.18.orig.tar.gz
4b5ad32873c25eb7bf8cdff7bb3df07aa5ca28dd 7800 ruby-rack_3.1.18-1.debian.tar.xz
ae15d64c21c0683034d8b5937e8098182e3c46a1 15766
ruby-rack_3.1.18-1_source.buildinfo
Checksums-Sha256:
7ce053b4c003bfcd15e4246ad65dea5e52a90f4cafeb0883243dc0be48475adb 2360
ruby-rack_3.1.18-1.dsc
7d6d19dd11565706cd4eb0d3952ac0e54b21d0e197c68d4093ec56ebe860ff80 796966
ruby-rack_3.1.18.orig.tar.gz
572dd51e33f01697bba01f9f55d1482fabd8a821c20415a5d2ceb8fef3f208c2 7800
ruby-rack_3.1.18-1.debian.tar.xz
872a4bed3a9856a0163a386ec0dff4badfd40a371c7d4154ee65551ef109db42 15766
ruby-rack_3.1.18-1_source.buildinfo
Files:
686b96316b060a331f15a7af19bcbb99 2360 ruby optional ruby-rack_3.1.18-1.dsc
19b3825059eeb5f37aeba510663be6cd 796966 ruby optional
ruby-rack_3.1.18.orig.tar.gz
01449210c27ec843cce5540172234da4 7800 ruby optional
ruby-rack_3.1.18-1.debian.tar.xz
1ea96aa4dc670f5afe0459c417327e4e 15766 ruby optional
ruby-rack_3.1.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkDJWMTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLltZ6EADXO4uf5kcYdNa7xMTPiKYr4zmJ+U5Z
NFqfyRgRXMMYBB+D8D86/fgh1Hex7g81AK0/ruKUkE0exkevBwY834by9EYuyIco
XDhEgsjBuIsNFIcRupDBmeg9X17gnnt1Fb4jOCamTYOc/H9zR+Q09Cv3J0rGBbEM
eB2kFFH0kl1Z3OZXW1DzsSu2+KEHs8/Au1L3ga7zl2RtmYZ1WCR2GK7AOr0L4h2J
6rNaamqOtA/Y0+u9TatIgLYjt0OJbDU97j6h9YSVG9rx3Bu5QBSiCwtaT2gKevkh
OnuP/zGty4pkHgVoVxX420FKSsE1K5TRhAZ4J9I+tOscF0azyLyakufmyvEyh1qC
4SpmS7G8tLmV7+cLOuOsuxtzI9M0bZsln2Q56h0TMowhvL0puCiksXbs5bWVnr4B
6vc71VSPa3ZZk9CToD3B5gCH6u3YXhCD3deMgcnDEO7U1YnB2+xMu1mRReieEGcM
1qi2sKXgTdn7Yw1JpzhhRmgwovhGOEWYpqOeFc2qcXCl00mw5CzTDFAjO27L7nAQ
R2chxOCNDtl38BeOj/Lq2RjhjrIXz9Wrx3EZumy5Okz/mAzys+xI730qDcjFJ29m
EOYpe00y10JGMEAswTqS/QsVcUaAp6T6xJPiSRoCfRw8pIMnvy6rrFyW2dr2M+uF
Sj1QdlvsMLMY0w==
=SUl+
-----END PGP SIGNATURE-----
pgpHvL6vNFdXP.pgp
Description: PGP signature
--- End Message ---
