[SECURITY] [DLA 4505-1] ruby-rack security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4505-1] ruby-rack security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Mon, 23 Mar 2026 03:00:24 +0530
Message-id: <[🔎] CAPP0f94QpephvsoYUV5t7E0GWikBneC5NH2BVyipBwOHFAQstw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4505-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 23, 2026                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby-rack
Version        : 2.1.4-3+deb11u5
CVE ID         : CVE-2026-22860 CVE-2026-25500
Debian Bug     : 1128479 1128480

Two vulnerabilities were discovered in ruby-rack, a modular Ruby
webserver interface.

CVE-2026-22860

    Rack::Directory's path check used a string prefix match on the
    expanded path. A request like /../root_example/ could escape the
    configured root if the target path started with the root string,
    allowing directory listing outside the intended root.

CVE-2026-25500

    Rack::Directory generated an HTML directory index where each file
    entry was rendered as a clickable link. If a file existed on disk
    whose basename started with the javascript: scheme, the generated
    index contained an anchor whose href executed JavaScript in the
    browser, resulting in a stored XSS vulnerability.

For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u5.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmnAX1kACgkQgj6WdgbD
S5aUMA//SYRAL7Cy7lO4we3SU/UZtmqOlCU01C46sERyd3zV9UVUEK5X3BBpt/GU
AArKylUdRFfsiNKguWhDzUBNGYkKqDl7+bUqkrV1aeUMxfQGS5h5uI6yGT7aCyxL
mLzMS6Tu6OpAzv0abtNb4ehHO3zpm2Spd4QMUmxaYX76pLAZ35Z0Uk2FWkFMVl1t
cioUqs534oFPqLq7uiQ0mYHDg/BE1enCmpS0iIJGXN7tRzj83LcPwXYPFzNlvCCm
KvKgORiki9GE2qGGpHz8QFty8xPMvqAaoIL4LrdhTedQEe1C4blTZKjYdiwGPk8W
c/xunkAYYV6N/OUmTFOtqKhLlC4d4vwbc3AptvS9nuX/TGBpDlvze8Bxv30jJLvd
0NCwdh4SCZJs+zJqVchm+DKs5QU6JtFrifmb2ZcpSF7QrYajXu027W8KPhgdR0gX
hrKmzwnYPgGzoViYFUbmsCxMIWAvt2dNDn38HQE6mzlKVW2UUBqtLZcP69NCkjEA
OresLKxyOdWAHADmOPfHV+iKmAxY81HfjD+tVEgXZrsjMF7Drt2MKDWKa7zw6Ahz
1SyXCRfgh2Q1ywAM2pEpO4Rgz1gQkbvEV/kew73OsPZqpe+GGe6b6Z3N2MZzEjl/
R1qSMbUss6NKQdeLwsmzI+oT0ML0mhl1HhKiwbvd7nHhXQ5yVaU=
=MPSF
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4504-1] libvirt security update
Next by Date: [SECURITY] [DLA 4506-1] mapserver security update
Previous by thread: [SECURITY] [DLA 4504-1] libvirt security update
Next by thread: [SECURITY] [DLA 4506-1] mapserver security update
Index(es):
- Date
- Thread