Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ruby-sinatra@packages.debian.org Control: affects -1 + src:ruby-sinatra User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] This update fixes a possible Regular Expression related DoS that is publicly reported as CVE-2025-61921. It has been fixed in unstable with 4.2.1-1. stable (trixie) is not affected as it only applies for Ruby versions < 3.2. [ Impact ] Depending on the application, a specially crafted request can cause a DoS. [ Tests ] The fix is trivial and just replaces a potentially vulnerable regular expression with a different implementation. All the tests from the package itself still pass. I also tested the reverse dependencies that are applications (pcs and schleuder) via autopkgtest and this change causes no regression. [ Risks ] I can't see any. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - 1-line patch cherry-picked from upstream - 1-line change to debian/gbp.conf to make it easier to provide future updates. [ Other info ] Since this is trivial, I already uploaded it.
diff --git a/debian/changelog b/debian/changelog
index 7c23102..3d9c25f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-sinatra (3.0.5-3+deb12u1) bookworm; urgency=medium
+
+ * Prevent Regexp DoS in ETag generation [CVE-2025-61921] (Closes: #1118290)
+ * debian/gbp.conf: point debian branch to debian/bookworm
+
+ -- Antonio Terceiro <terceiro@debian.org> Sun, 19 Oct 2025 20:02:10 -0300
+
ruby-sinatra (3.0.5-3) unstable; urgency=medium
* Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index cec628c..e552daa 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = debian/bookworm
diff --git a/debian/patches/CVE-2025-61921.patch b/debian/patches/CVE-2025-61921.patch
new file mode 100644
index 0000000..dcd4c95
--- /dev/null
+++ b/debian/patches/CVE-2025-61921.patch
@@ -0,0 +1,25 @@
+From: gecunps <geraldineelaine.cu@nelnet.net>
+Date: Wed, 8 Oct 2025 11:15:08 +0800
+Subject: Fix regex to prevent redos
+
+This a backport of the original upstream patch.
+
+Signed-off-by: Antonio Terceiro <terceiro@debian.org>
+Link: https://github.com/sinatra/sinatra/pull/2121
+---
+ lib/sinatra/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index ba330a4..aeff9fd 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -693,7 +693,7 @@ module Sinatra
+ def etag_matches?(list, new_resource = request.post?)
+ return !new_resource if list == '*'
+
+- list.to_s.split(/\s*,\s*/).include? response['ETag']
++ list.to_s.split(',').map(&:strip).include?(response['ETag'])
+ end
+
+ def with_params(temp_params)
diff --git a/debian/patches/series b/debian/patches/series
index 00beef1..a516274 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ i18n-fix.patch
fix-relative-path.patch
0001-Tests-against-Haml-6.patch
fix-test-broken-by-ruby-rack.patch
+CVE-2025-61921.patch
Attachment:
signature.asc
Description: PGP signature