Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:ruby-sinatra User: [email protected] Usertags: pu
[ Reason ] This update fixes a possible Regular Expression related DoS that is publicly reported as CVE-2025-61921. It has been fixed in unstable with 4.2.1-1. stable (trixie) is not affected as it only applies for Ruby versions < 3.2. [ Impact ] Depending on the application, a specially crafted request can cause a DoS. [ Tests ] The fix is trivial and just replaces a potentially vulnerable regular expression with a different implementation. All the tests from the package itself still pass. I also tested the reverse dependencies that are applications (pcs and schleuder) via autopkgtest and this change causes no regression. [ Risks ] I can't see any. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - 1-line patch cherry-picked from upstream - 1-line change to debian/gbp.conf to make it easier to provide future updates. [ Other info ] Since this is trivial, I already uploaded it.
diff --git a/debian/changelog b/debian/changelog index 7c23102..3d9c25f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ruby-sinatra (3.0.5-3+deb12u1) bookworm; urgency=medium + + * Prevent Regexp DoS in ETag generation [CVE-2025-61921] (Closes: #1118290) + * debian/gbp.conf: point debian branch to debian/bookworm + + -- Antonio Terceiro <[email protected]> Sun, 19 Oct 2025 20:02:10 -0300 + ruby-sinatra (3.0.5-3) unstable; urgency=medium * Team upload diff --git a/debian/gbp.conf b/debian/gbp.conf index cec628c..e552daa 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/bookworm diff --git a/debian/patches/CVE-2025-61921.patch b/debian/patches/CVE-2025-61921.patch new file mode 100644 index 0000000..dcd4c95 --- /dev/null +++ b/debian/patches/CVE-2025-61921.patch @@ -0,0 +1,25 @@ +From: gecunps <[email protected]> +Date: Wed, 8 Oct 2025 11:15:08 +0800 +Subject: Fix regex to prevent redos + +This a backport of the original upstream patch. + +Signed-off-by: Antonio Terceiro <[email protected]> +Link: https://github.com/sinatra/sinatra/pull/2121 +--- + lib/sinatra/base.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb +index ba330a4..aeff9fd 100644 +--- a/lib/sinatra/base.rb ++++ b/lib/sinatra/base.rb +@@ -693,7 +693,7 @@ module Sinatra + def etag_matches?(list, new_resource = request.post?) + return !new_resource if list == '*' + +- list.to_s.split(/\s*,\s*/).include? response['ETag'] ++ list.to_s.split(',').map(&:strip).include?(response['ETag']) + end + + def with_params(temp_params) diff --git a/debian/patches/series b/debian/patches/series index 00beef1..a516274 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ i18n-fix.patch fix-relative-path.patch 0001-Tests-against-Haml-6.patch fix-test-broken-by-ruby-rack.patch +CVE-2025-61921.patch
signature.asc
Description: PGP signature
