Your message dated Wed, 05 Nov 2025 21:32:21 +0000
with message-id <[email protected]>
and subject line Bug#1117628: fixed in ruby-rack 3.1.18-1~deb13u1
has caused the Debian Bug report #1117628,
regarding ruby-rack: CVE-2025-61771
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-61771[0]:
| Rack is a modular Ruby web server interface. In versions prior to
| 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file
| form fields (parts without a `filename`) entirely in memory as Ruby
| `String` objects. A single large text field in a multipart/form-data
| request (hundreds of megabytes or more) can consume equivalent process
| memory, potentially leading to out-of-memory (OOM) conditions and
| denial of service (DoS). Attackers can send large non-file fields to
| trigger excessive memory usage. Impact scales with request size and
| concurrency, potentially leading to worker crashes or severe
| garbage-collection overhead. All Rack applications processing
| multipart form submissions are affected. Versions 2.2.19, 3.1.17, and
| 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB).
| Workarounds include restricting maximum request body size at the
| web-server or proxy layer (e.g., Nginx `client_max_body_size`) and
| validating and rejecting unusually large form fields at the
| application level.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61771
https://www.cve.org/CVERecord?id=CVE-2025-61771
[1] https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.1.18-1~deb13u1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Oct 2025 08:52:58 +0100
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 3.1.18-1~deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1117627 1117628 1117855 1117856
Changes:
ruby-rack (3.1.18-1~deb13u1) trixie-security; urgency=medium
.
* New upstream version 3.1.18.
- CVE-2025-61772: Multipart parser buffers unbounded per-part headers,
enabling DoS (memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large non‑file fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61770: Unbounded multipart preamble buffering enables DoS
(memory exhaustion).
- CVE-2025-61780 Improper handling of headers in Rack::Sendfile may
allow proxy bypass.
- CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead
to memory exhaustion.
- Closes: #1117855, #1117856, #1117627, #1117628
Checksums-Sha1:
bf9e5ba88585d917f3e072b0ebabe0abb0e0375a 2392 ruby-rack_3.1.18-1~deb13u1.dsc
f358e5c6c93492298cada4c1da6d7db167d161ab 796966 ruby-rack_3.1.18.orig.tar.gz
5ac20e75f8efaf49c51caf5923a8f326a23529dd 7816
ruby-rack_3.1.18-1~deb13u1.debian.tar.xz
b1b05ab49fff98bfe1d53e1738c90fa6fbdcafba 15798
ruby-rack_3.1.18-1~deb13u1_source.buildinfo
Checksums-Sha256:
1ef32d6a0ff7613c3bf4ddd2a6b3f54f3c550a4b59980776c79778ee1ca4c410 2392
ruby-rack_3.1.18-1~deb13u1.dsc
7d6d19dd11565706cd4eb0d3952ac0e54b21d0e197c68d4093ec56ebe860ff80 796966
ruby-rack_3.1.18.orig.tar.gz
32f523a746abdaf29900eed73dac5ee6a70d12f94013e1b4c0eb6623d3a37c96 7816
ruby-rack_3.1.18-1~deb13u1.debian.tar.xz
c1722824ba5c81f05acab4606828cb3f2e964b7677c90d39fd8d2fb0977c3b8a 15798
ruby-rack_3.1.18-1~deb13u1_source.buildinfo
Files:
a04f20b797df1c54ba819ed7f8bd7436 2392 ruby optional
ruby-rack_3.1.18-1~deb13u1.dsc
19b3825059eeb5f37aeba510663be6cd 796966 ruby optional
ruby-rack_3.1.18.orig.tar.gz
ffb7ea215187fc22325b54d28df659e2 7816 ruby optional
ruby-rack_3.1.18-1~deb13u1.debian.tar.xz
b9acddf1327aeb33d4f20ef996f6987f 15798 ruby optional
ruby-rack_3.1.18-1~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkEru4THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlurQD/0V/bBuAq0mQZfng6Pjh/P550NXpsfy
T042OvgpJ9QqgR6e8kT7ExIhrMda5yDuYQGxvS3jL7cpDtw2HEOAGP7ciJKZ3Zgx
ezpb/fbzgKEIz82S6ObfXdNK9/Os4T20zaaME6X9ABUprDpH4BNoQsu5RwF3EHMU
k51gCskTdP9VA55hPdeDMVAsPHIo4xzCc90WC7M8/TVdz5nEcbSMkjFUC/GcKcm3
Hew0SHIxmjOW1yEcCWzYURskMviKg7/O2j64JYUxmhQAOLCyuRsGSEOvaB8avYcR
xKyXkhOxkXhvKQeseXgE+eTpVMVe4C6E0r93b56DuyOxYlOePfxmG3Z6E7aavU3U
+KQNQqM2zaltAJjCoyVD0/oBsWAdYTgd0R2NEXFi5ikBS1shyxaMGCbL6keno0GN
gf6vraLKm0jgVlqxDuB5ckOSUlno1ytu+gmoSUOAjI7n1qI3JwU431iikoRytcxD
k2LYJfRWfpQFzUHqGDdJZVtw6MbCXDtJT+5mvAdO3s+jV+bkgPwtlmH9Kik2WObI
tpC2Dni3hvfuzb9cdEBLhbghUa1+GqFoKRl6egRPiny6mid0iCR/fF57S/kntVrQ
8CMxBYHLnYSi0g5EDhCoJ4CWqS+1EZFV44u608vRu5WggoMq0vY4/vuFwsU3yePi
CJ3VmJ7hQbAlhQ==
=jMhL
-----END PGP SIGNATURE-----
pgp0jdqzuxOE0.pgp
Description: PGP signature
--- End Message ---
