Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1118453,
regarding bookworm-pu: package ruby-sinatra/3.0.5-3+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118453
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:ruby-sinatra
User: [email protected]
Usertags: pu
[ Reason ]
This update fixes a possible Regular Expression related DoS that is
publicly reported as CVE-2025-61921. It has been fixed in unstable with
4.2.1-1. stable (trixie) is not affected as it only applies for Ruby
versions < 3.2.
[ Impact ]
Depending on the application, a specially crafted request can cause a
DoS.
[ Tests ]
The fix is trivial and just replaces a potentially vulnerable regular
expression with a different implementation. All the tests from the
package itself still pass. I also tested the reverse dependencies that
are applications (pcs and schleuder) via autopkgtest and this change
causes no regression.
[ Risks ]
I can't see any.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- 1-line patch cherry-picked from upstream
- 1-line change to debian/gbp.conf to make it easier to provide future
updates.
[ Other info ]
Since this is trivial, I already uploaded it.
diff --git a/debian/changelog b/debian/changelog
index 7c23102..3d9c25f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-sinatra (3.0.5-3+deb12u1) bookworm; urgency=medium
+
+ * Prevent Regexp DoS in ETag generation [CVE-2025-61921] (Closes: #1118290)
+ * debian/gbp.conf: point debian branch to debian/bookworm
+
+ -- Antonio Terceiro <[email protected]> Sun, 19 Oct 2025 20:02:10 -0300
+
ruby-sinatra (3.0.5-3) unstable; urgency=medium
* Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index cec628c..e552daa 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = debian/bookworm
diff --git a/debian/patches/CVE-2025-61921.patch b/debian/patches/CVE-2025-61921.patch
new file mode 100644
index 0000000..dcd4c95
--- /dev/null
+++ b/debian/patches/CVE-2025-61921.patch
@@ -0,0 +1,25 @@
+From: gecunps <[email protected]>
+Date: Wed, 8 Oct 2025 11:15:08 +0800
+Subject: Fix regex to prevent redos
+
+This a backport of the original upstream patch.
+
+Signed-off-by: Antonio Terceiro <[email protected]>
+Link: https://github.com/sinatra/sinatra/pull/2121
+---
+ lib/sinatra/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index ba330a4..aeff9fd 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -693,7 +693,7 @@ module Sinatra
+ def etag_matches?(list, new_resource = request.post?)
+ return !new_resource if list == '*'
+
+- list.to_s.split(/\s*,\s*/).include? response['ETag']
++ list.to_s.split(',').map(&:strip).include?(response['ETag'])
+ end
+
+ def with_params(temp_params)
diff --git a/debian/patches/series b/debian/patches/series
index 00beef1..a516274 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ i18n-fix.patch
fix-relative-path.patch
0001-Tests-against-Haml-6.patch
fix-test-broken-by-ruby-rack.patch
+CVE-2025-61921.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
