[SECURITY] [DLA 4357-1] ruby-rack security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4357-1] ruby-rack security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Sun, 2 Nov 2025 22:02:01 +0100
Message-id: <[🔎] CAPP0f96Sj6AR+6USysYAh5RPSfbcw6ve2k3q51GuoLjyuj0H3g@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4357-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 01, 2025                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby-rack
Version        : 2.1.4-3+deb11u4
CVE ID         : CVE-2025-32441 CVE-2025-46727 CVE-2025-59830
                 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772
                 CVE-2025-61780 CVE-2025-61919
Debian Bug     : 1104927 1116431 1117855 1117856 1117627 1117628

Multiple vulnerabilities were found in ruby-rack, a modular Ruby
webserver interface, as follows:

  - CVE-2025-32441: Rack session can be restored after deletion.
  - CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
    can lead to memory exhaustion.
  - CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser
    can lead to memory exhaustion via semicolon-separated parameters.
  - CVE-2025-61770: Unbounded multipart preamble buffering enables
    DoS (memory exhaustion).
  - CVE-2025-61771: Multipart parser buffers large non‑file fields
    entirely in memory, enabling DoS (memory exhaustion).
  - CVE-2025-61772: Multipart parser buffers unbounded per-part
    headers, enabling DoS (memory exhaustion).
  - CVE-2025-61919: Unbounded read in Rack::Request form parsing can
    lead to memory exhaustion.
  - CVE-2025-61780: Improper handling of headers in Rack::Sendfile
    may allow proxy bypass.

For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u4.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkHxmYACgkQgj6WdgbD
S5ZUjQ/8DG7/g85O78inOboKi+excO2IOp/R+7KoBRgL6SHFLLP4SynsHq7MtBsU
TJdkBfn/+AVVl7UFLy2oCkEHHYhEBnYIKKgPXzK7HsJolh8mDm26UjQEojbOB3Rz
wlDq68Io7Xxpn/M/cUvAxBxenuh+3dscQOtB2+/sHJfNvY/i17wzUJUAa9664W6K
qrogI3T+KD5dcZy+hUr/mrTEfUbTUXkzujhLFRA44rt+wyrkJf+iu53up4OiDHXD
TKfFN0xTmNlnPpcPMSB0eitXMiE/Ojflpyk72Xg6WGRk9quW7eFpuCaTAYp7/AB9
WlRz4zpu//zRNNpF5XxlNzX8VWz1+LbQaSmB28PgYhb8bx62hNXhfVhN4n91wZq4
FKPWRLycrU2HiFIueI5dnPE+IC7vsp/jiSfia44WuETOPBLfal7AKO1Zg2af+3fV
Td1lIMk8P75GWjrRBqDukFImYkNGi7ibOW/ZTdgoRAtpePYxkatilPgrB65dqNYO
Y9es9roAVj1m6hw0yNBCGXPXo2lpfXlH2MNQyi/pU0u94IX+FIf3Rwwaw9GVpe0w
+hIGOXdcfT23iC85yKuiCKrcSRCFod775CJdb+oCh/nK4Bu7aPrx34qhX09UkG+m
ohqIYq1TiC/Yz01xOPAeGLxXzZBPaPft2AJy9RsEvgbcRwO9kdw=
=EMg7
-----END PGP SIGNATURE-----

Reply to:

Next by Date: [SECURITY] [DLA 4358-1] wordpress security update
Next by thread: [SECURITY] [DLA 4358-1] wordpress security update
Index(es):
- Date
- Thread