[SECURITY] [DLA 4090-1] ruby-rack security update

[Adrian Bunk <bunk@debian.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4090-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
March 24, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby-rack
Version        : 2.1.4-3+deb11u3
CVE ID         : CVE-2025-25184 CVE-2025-27111 CVE-2025-27610
Debian Bug     : 1098257 1099546 1100444

Multiple vulnerabilities have been fixed in ruby-rack,
an interface for developing web applications in Ruby.

CVE-2025-25184

    Log Injection in Rack::CommonLogger

CVE-2025-27111

    Log Injection in Rack::Sendfile

CVE-2025-27610

    Local file inclusion in Rack::Static

For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u3.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmfh1aoACgkQiNJCh6LY
mLH+jQ/+OmB7ttZHPXS/0ehtQBkV3a2F+NIZ+QrMNmMZRBTwswYX0FsDg+PQ0lD1
nsE7NRO+g9e7To9iQX1bgviDOdn7WEp5Yupqr4vV0n9BhQg24U0j+C1l+LNTDA1g
ujdmEIXyc5uJ0rOSjp5eQp9Xeredz6btgbrJikHzTIFYMKgUGeS5bNDSt9184GYD
AhWsdnE6EILN6zxzhoxWCcgazTNCVpmPyEA6AMlQCwTkZ/x5pnxVa27ouHklxYJx
Ixh/3DhePLHz8GW/fsgqEckJHTKNY02ZlrPaAKvTy83ZnaHA6nZGdDHMqhgUlROq
Uudy9ta5BUenh/lqKmVYrxSmejAQvcswM97xIY0P2Le7MhXPEzr8r8Boz2RnT8jR
xhUYKQhB1kmZtoUNBZ8ILJW0bayEtYVPloBznDHp/D8MkAqmZR2AHENDx97sTGD6
FoT9K61+Tbr/haZcdw/q+lcc5/NJKZ5kLM5U6b1AhCBay6W4AGYWGmmD7IzvKywr
DefEqKxLwJ8YuGgXk4lhoxB3H3QGGGDutvydRBuJA0mJzzwxiM/T4a96rCTQ2w4J
wWWWyZe9rtUoIerndrTyXY6MB8+jA/p+t64XwvO6/YSnOna5HKfKQNlrtJzTr6Rl
VGbauzMbBsHqsUqY6VAWa9jwpRDf97QCDgYNDfcRgWOghpw9dKM=
=bGs+
-----END PGP SIGNATURE-----