Bug#1064516: marked as done (ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146)
Your message dated Sat, 25 May 2024 20:36:39 + with message-id and subject line Bug#1064516: fixed in ruby-rack 2.1.4-3+deb11u2 has caused the Debian Bug report #1064516, regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-rack X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rack. CVE-2024-26141[0]: Reject Range headers which are too large https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126[1]: Fixed ReDoS in Content Type header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146[2]: Fixed ReDoS in Accept header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26141 https://www.cve.org/CVERecord?id=CVE-2024-26141 [1] https://security-tracker.debian.org/tracker/CVE-2024-25126 https://www.cve.org/CVERecord?id=CVE-2024-25126 [2] https://security-tracker.debian.org/tracker/CVE-2024-26146 https://www.cve.org/CVERecord?id=CVE-2024-26146 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: ruby-rack Source-Version: 2.1.4-3+deb11u2 Done: Adrian Bunk We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 23:46:12 +0300 Source: ruby-rack Architecture: source Version: 2.1.4-3+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Debian Ruby Team Changed-By: Adrian Bunk Closes: 1064516 Changes: ruby-rack (2.1.4-3+deb11u2) bullseye-security; urgency=medium . * Non-maintainer upload. * CVE-2024-25126: ReDoS in Content Type header parsing * CVE-2024-26141: Reject Range headers which are too large * CVE-2024-26146: ReDoS in Accept header parsing * Closes: #1064516 Checksums-Sha1: e840c3306e8cea596b611a04565f85e59bff2e48 2345 ruby-rack_2.1.4-3+deb11u2.dsc fb78585706dacc2ec7997b7c1af7d6320acd33c3 251772 ruby-rack_2.1.4.orig.tar.gz 398b6cb6427457998dd3e1d22db83437f2138d80 14780 ruby-rack_2.1.4-3+deb11u2.debian.tar.xz Checksums-Sha256: 49f54f8f3a7fadd1f2a6a9cb2a73800cf5b3a54e620005f214735f7715ff0c02 2345 ruby-rack_2.1.4-3+deb11u2.dsc f0b67c0a585d34a135c1434ac2d0bdbb9611726afafc005d9da91a451b1a7855 251772 ruby-rack_2.1.4.orig.tar.gz ff8697ec5799cd71a7995f601f67639aa747447fbadf7f1012e968597b18f965 14780 ruby-rack_2.1.4-3+deb11u2.debian.tar.xz Files: a2e328e5b24577e914bc62e8e28de814 2345 ruby optional ruby-rack_2.1.4-3+deb11u2.dsc 92633b2d98f6caa2fdaebcd0b15eb42d 251772 ruby optional ruby-rack_2.1.4.orig.tar.gz 862f1e6641c5f34de6a892857bdef19f 14780 ruby optional ruby-rack_2.1.4-3+deb11u2.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY7eyoACgkQiNJCh6LY mLGHbw/+OP0+3O50ZlSIP2vbZUuw6+ddp56oMRl2V6/nNsuV7zrMp0KDZxPLAAnC AAkGBKRSHqQw6SaU2SFG2qs3MCe0nRNNT4/rKaGKe06J7o1BEgtFV9vcHEWzvamn zcL6bZIk8ybCKzGoZIC7SsDF6A9jDEu455GsLwGaD+Xfqpj2AJfdrFk05TZaHAKz 3PvUtM6wscwAis1uO1T3AFeGSmMPhT+4wmFY4VKMc3FB5/XoZpr/6xrqyJnrNK0b LC6Dhcl0mvkguSMgZTzaxRn+x9jOP27YGACz+ScJzT5czF1AJrYI1FAkoOF/V5ol mrBInyOWGIFHM5thCr6eGpiON/c5336qECUKhJZuxXEdUq9a40WAksiipaj4CI7v 6pwp3xYtS4c6y5yX1mpFkHdwwuN6OWiJ2h3OuB37Kqvcw3AN64grI/bMTJvUOIM2 S1qWxLZp59ha7iyhlYI7DD0jPe0oewmJmi/J+yQElfdoUFsLc7az0zwZ+WNaWz6f wKjk8yb2fnMdoZICF9vd01aBcij11+StqwxeU
Bug#1064516: marked as done (ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146)
Your message dated Sat, 25 May 2024 19:32:10 + with message-id and subject line Bug#1064516: fixed in ruby-rack 2.2.6.4-1+deb12u1 has caused the Debian Bug report #1064516, regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-rack X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rack. CVE-2024-26141[0]: Reject Range headers which are too large https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126[1]: Fixed ReDoS in Content Type header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146[2]: Fixed ReDoS in Accept header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26141 https://www.cve.org/CVERecord?id=CVE-2024-26141 [1] https://security-tracker.debian.org/tracker/CVE-2024-25126 https://www.cve.org/CVERecord?id=CVE-2024-25126 [2] https://security-tracker.debian.org/tracker/CVE-2024-26146 https://www.cve.org/CVERecord?id=CVE-2024-26146 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: ruby-rack Source-Version: 2.2.6.4-1+deb12u1 Done: Adrian Bunk We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 23:39:36 +0300 Source: ruby-rack Architecture: source Version: 2.2.6.4-1+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Ruby Team Changed-By: Adrian Bunk Closes: 1064516 Changes: ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium . * Non-maintainer upload. * CVE-2024-25126: ReDoS in Content Type header parsing * CVE-2024-26141: Reject Range headers which are too large * CVE-2024-26146: ReDoS in Accept header parsing * Closes: #1064516 Checksums-Sha1: 59cfba059f5e804d0f88cbcf7e340facc8bf1351 2385 ruby-rack_2.2.6.4-1+deb12u1.dsc c112aa25347c7eb7657ccde6a3c2315800cfef97 279212 ruby-rack_2.2.6.4.orig.tar.gz 88a2b1c2c9db017508d364d0e323104ccf791a08 10924 ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz Checksums-Sha256: 137cdca52c7f1dfb0a3468018ddf09d145bc7155467d47e134d8872706f9ad53 2385 ruby-rack_2.2.6.4-1+deb12u1.dsc 3cae965f53c4d556fd3d919729dfb698e86b8b6507045096c635ef4cf998f14b 279212 ruby-rack_2.2.6.4.orig.tar.gz 5f374d8bf401898ac557cb2d3a124c050741472f490642454830b49b37671598 10924 ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz Files: b682b52017acf8a03824460b889e62a9 2385 ruby optional ruby-rack_2.2.6.4-1+deb12u1.dsc 77b35ec78eda851646a0c2bfe0f91e9e 279212 ruby optional ruby-rack_2.2.6.4.orig.tar.gz 9d43b6a5f8218baceb0cbc452c0f17d2 10924 ruby optional ruby-rack_2.2.6.4-1+deb12u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY7ekEACgkQiNJCh6LY mLEIxBAAq3QahDFUt6FGWwz76IRzvf+Vfl+g5nFPW1wkWPKMQZtJ5UDzaha2Qygc pGtAC0dWteIFe3iQGQxP1AaPR++MkmdywV9+L92NL5j3L4P25UQ3yw8hsbQUxIE9 DsWocaT6/CC4310juwpdE7LG4zOHV8exod1pgGKENAv/xWTE+0XYfiX90lLHWWS4 xORnKt8hHElax2u8iRQQ9KS0JPAQBgm9lrAqpIlDRGF8d1Kiaay7WNwIFMhO6omT TWfSfgrpEMwN8SYbNckWMAlcQlyXUzCjmThcJOt6ldrCVTxTE2NAPph3CkqpX1FZ rhWzyqjaPetPvPe1mAcp4tA4cbzHMZVALk/ClNUgqmc6eR2dmCXZjNIzrdhlll70 jJvWm36YhjHSbFjVVllRIs+hQHP1fPsSkAsDGaX8zTw2+7sBRrrR+xjszkpje9yS AepYDWstJMWkapnYfHZPzUOHa/bzuY60TCYsibkbvBiMJaM3SoDvj2+n2UlmyHno fMu7VLVDcfx
Bug#1064516: marked as done (ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146)
Your message dated Sat, 04 May 2024 21:17:14 + with message-id and subject line Bug#1064516: fixed in ruby-rack 2.2.7-1.1 has caused the Debian Bug report #1064516, regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-rack X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rack. CVE-2024-26141[0]: Reject Range headers which are too large https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126[1]: Fixed ReDoS in Content Type header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146[2]: Fixed ReDoS in Accept header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26141 https://www.cve.org/CVERecord?id=CVE-2024-26141 [1] https://security-tracker.debian.org/tracker/CVE-2024-25126 https://www.cve.org/CVERecord?id=CVE-2024-25126 [2] https://security-tracker.debian.org/tracker/CVE-2024-26146 https://www.cve.org/CVERecord?id=CVE-2024-26146 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: ruby-rack Source-Version: 2.2.7-1.1 Done: Adrian Bunk We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 22:55:26 +0300 Source: ruby-rack Architecture: source Version: 2.2.7-1.1 Distribution: unstable Urgency: high Maintainer: Debian Ruby Team Changed-By: Adrian Bunk Closes: 1064516 Changes: ruby-rack (2.2.7-1.1) unstable; urgency=high . * Non-maintainer upload. * CVE-2024-25126: ReDoS in Content Type header parsing * CVE-2024-26141: Reject Range headers which are too large * CVE-2024-26146: ReDoS in Accept header parsing * Closes: #1064516 Checksums-Sha1: f74ea2d462b8737d733fabf353e6c3d9797b2d84 2347 ruby-rack_2.2.7-1.1.dsc 5f0f4c3a182eba4c4066b011623f01053c8ebc8e 279222 ruby-rack_2.2.7.orig.tar.gz 6150b1489f5bbf7e4164c9da072976b3d3988d51 10932 ruby-rack_2.2.7-1.1.debian.tar.xz Checksums-Sha256: 1dd5f94772d834d6b0f24d64d4890223f7fdc6c6b1248190acaf2e7726f3779d 2347 ruby-rack_2.2.7-1.1.dsc e942379fba7a6aa18951973a95cc323c10af7aa7ff61207794bf6fea3ec822b4 279222 ruby-rack_2.2.7.orig.tar.gz 0bf5154539fdedd122ec3faef1f207681503559d0af4e348c29da701e31dda71 10932 ruby-rack_2.2.7-1.1.debian.tar.xz Files: d34fa63feef913c5426dfaa79cdaa82b 2347 ruby optional ruby-rack_2.2.7-1.1.dsc 09f5512b2919ceffc5ab777aebf0c88a 279222 ruby optional ruby-rack_2.2.7.orig.tar.gz 946e35965f30969180924c81317cb52f 10932 ruby optional ruby-rack_2.2.7-1.1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYz8XMACgkQiNJCh6LY mLFy/Q/+OEpOrUfoSpwiFtXW6q5qSRCeRMCFTn40LGI3Qtfn5r8Yrj9/cMh7XTIE OBXyEItK6BO5InugVO8qBe89dC77aql4L5AcGcZYpOBySGjWd7+WBY7HLqWjjDN5 d3jVq/kYQnpgahh0NkN9wu6Pe+e5J9/OSXW2XRAuAfEi8hMcpJSMnKlUp79GTNVE ht92LRprlftq4tkCMeB47gTQF16fTZHTsaN02rdN5yoTiGyw3IGto6+flMztzq5e EDaK3AnMwYgkzmlKT/xSz6zKCNi9N51kuyOpcUHFvQ5WieLoHvQ9TOjrU5W4Gq8y 2oWTZmVbwn0r+SbKtzsUWGT2bB4Omun618yvqDcwMuLe+L7oHjdIdGDsWIVeT/o1 7p1OYoGjhfZbje6YG5ckb3CPaaeGbxDhy/Zo/Is82buU+kFG0nOPunYUpyyfXMk7 n6fqBt2Fup/iPA9JFL6J+Fu2TpC3UpA+Kr/2pEqFnxIdB2YhNNmY44qTdpfu6pKP sK0xoTlAM+H0ZpKqkybAG737+06b3PrC7kpWEcnPNCXUs5vqoGM1R3AyBpcJvpCT nVbU3G3yHX6dIIBuBZr7muR47UGio+WpWcN2/rt4uWC1eGqTVcUaVq6