Your message dated Tue, 10 Mar 2026 03:33:31 +0000
with message-id <[email protected]>
and subject line Bug#1128479: fixed in ruby-rack 3.2.5-1
has caused the Debian Bug report #1128479,
regarding ruby-rack: CVE-2026-22860
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.2.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.1.18-1
Control: found -1 3.1.18-1~deb13u1
Control: found -1 2.2.20-0+deb12u1
Hi,
The following vulnerability was published for ruby-rack.
CVE-2026-22860[0]:
| Rack is a modular Ruby web server interface. Prior to versions
| 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a
| string prefix match on the expanded path. A request like
| `/../root_example/` can escape the configured root if the target
| path starts with the root string, allowing directory listing outside
| the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22860
https://www.cve.org/CVERecord?id=CVE-2026-22860
[1] https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 3.2.5-1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Mar 2026 18:15:24 +0530
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 3.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1128479 1128480
Changes:
ruby-rack (3.2.5-1) unstable; urgency=medium
.
* New upstream version 3.2.5.
- CVE-2026-25500: XSS injection via malicious filename
in `Rack::Directory`. (Closes: #1128480)
- CVE-2026-22860: Directory traversal via root prefix
bypass in `Rack::Directory`. (Closes: #1128479)
Checksums-Sha1:
ee51b180be708d93e56a08da39c05cbec7de403f 2356 ruby-rack_3.2.5-1.dsc
576b33a732cae34ca6e6b9902cee742cefebb28e 4372803 ruby-rack_3.2.5.orig.tar.gz
1533a6c3fb9894f38af23cca95f693cd0323675b 7952 ruby-rack_3.2.5-1.debian.tar.xz
ba65f7ffd84770060bfade1423a344ae655922c8 15781
ruby-rack_3.2.5-1_source.buildinfo
Checksums-Sha256:
0e260b829a7a3ef402d68ac87fa49ae27beb9a9aee9685276c4f6fa473c2588a 2356
ruby-rack_3.2.5-1.dsc
4e62da1345d3cfce783d245a8a8e269b16a083e46c9c9a6cc0ee974b0d1dfe04 4372803
ruby-rack_3.2.5.orig.tar.gz
7c9d6f540e086b4fa663ae4cf88de5e2393c7cd4d008ceade2931f58d15d37c5 7952
ruby-rack_3.2.5-1.debian.tar.xz
e083743364122512c10f3a3bddc5bf175cfbea85294d2aeefdc56385b9e78a0d 15781
ruby-rack_3.2.5-1_source.buildinfo
Files:
08c3076b69fa3ace17c317b5bb6304fd 2356 ruby optional ruby-rack_3.2.5-1.dsc
437461d9e2f4bd4980a7bab40f0be177 4372803 ruby optional
ruby-rack_3.2.5.orig.tar.gz
a59e1764587cd354c8925dcec1838c5b 7952 ruby optional
ruby-rack_3.2.5-1.debian.tar.xz
c7ac4095ec512499d9c6c993c4cd6852 15781 ruby optional
ruby-rack_3.2.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmmvi2sTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlvFdEACY00KCVlM09U3HiV+IZcKVosHV1xKT
QuyacSHI4XQDrlaiqHIDNPu21RhD3I0rqWtreRLV6vkYDIFQDFP/M1yrnm36FZLm
BlV8LRM/RJ9peNgvJdkLVqsFPuuTMgsb4L1AljELVwuSF/52zgwWBjhZirPml1O0
zLOfFXdThkbk6J1cSM9GZWm/fQ9VIuP7FQeNXNsGP+ab8d/3E9a5PphB+EoeSdhV
/iD6Ss5CTuFw2u/YxdOYKujjHxCtuIbNeJ7WUlAqe3+p0DDZSZaNAw6hQN3FS1y0
Lh+yPsWBdl83L5m7XsThLS4bKtzl2W/3+KE9F5WH0PC2hcz0Clu7N6xLnaklDuxH
XXfe/wuV5y+JQZqDZn2aGp/ZvorhPg0MU2yosI90qH2LnSVWghqhsRu/IRpufU0g
DHMPU5ep4DSS/pi0+6IkDSYpJoGzdw/IbMhLWeFjmkvqVMgfmA5mzGFaF2fyTonZ
fi+XkgdrMYOQ4+HLKQpra+Yw/N4Q5LA0GgPcE1F/guZnisDVVPzxd8cJa7IXDr4q
6jCgurxgwbwDdE3qmHWMIIYDUBDPxHuvgintUL1rPuAZ7ytXHXxmKD4XkZ3hAUyo
dV5smPu3DvV+sn6z9UK+WGWWpyPB4JfSQzXeBr48Off4nPa7JByb3qhpyTn2gdvi
s4QI3BJDg6sd3Q==
=HF6l
-----END PGP SIGNATURE-----
pgpUm2Ms28KR3.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
