Your message dated Sat, 09 May 2026 11:19:44 +0000
with message-id <[email protected]>
and subject line Bug#1133007: fixed in ruby-rack-session 2.1.1-0.2
has caused the Debian Bug report #1133007,
regarding ruby-rack-session: CVE-2026-39324
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133007
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack-session
Version: 2.1.1-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-rack-session.
CVE-2026-39324[0]:
| Rack::Session is a session management implementation for Rack. From
| 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles
| decryption failures when configured with secrets:. If cookie
| decryption fails, the implementation falls back to a default decoder
| instead of rejecting the cookie. This allows an unauthenticated
| attacker to supply a crafted session cookie that is accepted as
| valid session data without knowledge of any configured secret.
| Because this mechanism is used to load session state, an attacker
| can manipulate session contents and potentially gain unauthorized
| access. This vulnerability is fixed in 2.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-39324
https://www.cve.org/CVERecord?id=CVE-2026-39324
[1] https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq
[2]
https://github.com/rack/rack-session/commit/f43638cb3a4d15c3ecaf59e67a04b47fda08eeac
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack-session
Source-Version: 2.1.1-0.2
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack-session, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated ruby-rack-session package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 May 2026 11:37:55 +0300
Source: ruby-rack-session
Architecture: source
Version: 2.1.1-0.2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1133007
Changes:
ruby-rack-session (2.1.1-0.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-39324: decrypt failure falls back to accepting
unencrypted cookies (Closes: #1133007)
Checksums-Sha1:
9a9fe2a236049bc515ea0da46eb4f72ee55c05f4 2210 ruby-rack-session_2.1.1-0.2.dsc
79d6d771190d6b5b091c65278602a6d05ce0d6df 4780
ruby-rack-session_2.1.1-0.2.debian.tar.xz
Checksums-Sha256:
2359f3794311c9194bcd5e966527e12040842c800f5e935a32d81cb6486f0389 2210
ruby-rack-session_2.1.1-0.2.dsc
7dfa9f984e71888eea825a8a1e271b85ae2e9990e93534d52a6b45bac46ba9a7 4780
ruby-rack-session_2.1.1-0.2.debian.tar.xz
Files:
e5ca36ba225d4e3841dbd31a08741b01 2210 ruby optional
ruby-rack-session_2.1.1-0.2.dsc
0cf4b3349736e641d31bf90882acd5f9 4780 ruby optional
ruby-rack-session_2.1.1-0.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn1yeIACgkQiNJCh6LY
mLECQA/+MBI6yM/nJOAoqUUbYt6KW7JyLMEsOMwa6VfMhdSC7wArWdBve5Ho6VcI
eTM0LO/NEimtVjBvyJ5kU55Us1O2W4uFaMrfBYdyQsCWHn1nVkDv4IotUWJUgdTR
/9B4t5o9adIn5ZtxnlrOCq/WAJScirXErTCYMvRNpFtlj1pI2qLmH/oYK53fovgF
/wrBfZen3abqEX6wqe/gl7LK/t7FVGJhUCnhhYT8bWEO2/UkPmlFuEDwqPDYfbCI
NUjwnXY6oRE+QB8tt8veQDUGhM+VUVZuYVMkH2Xgpt6WpvI0D0LZRpc1cpUC+LdQ
aEgxDj4FO5pUtJoDlq0W2D6cCfqiwf/1+BHgzbX1OvFivkWjO2NchTwRSP0hStB3
JQTSTzUuDPl2KsobWazXV6cOrb/fB5wJpZuk97Skycdz7Lp6PEv8hPj0Ue7dNVya
a88yqWMUBvdby0C1ipYvkUmcb8E7352NJ3S+5oyoKziv0CJQXNEkd8mtVrmOpA8x
uVBmcegUhrTRsODju2ZeC/nLf6teiPG92JzqvOsCQ3HxUW7e78qF2nxic9GyNqN1
QlOtFhc8jQbbHEKD3CgiHqj1wADqwCnWTxtklZWudTRRsiwJads4O34Y8s8NpM9o
NPCQf/9Jc4fauA2nqZ7mY5sxvIfevg0peSaopgTcnVtuaGUOEUA=
=9CXN
-----END PGP SIGNATURE-----
pgpEQACO4MDSA.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
