Your message dated Sat, 25 May 2024 20:36:39 +0000
with message-id <e1say87-00esem...@fasolo.debian.org>
and subject line Bug#1064516: fixed in ruby-rack 2.1.4-3+deb11u2
has caused the Debian Bug report #1064516,
regarding ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-rack
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2024-26141[0]:
Reject Range headers which are too large
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
(v2.2.8.1)
CVE-2024-25126[1]:
Fixed ReDoS in Content Type header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
CVE-2024-26146[2]:
Fixed ReDoS in Accept header parsing
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
(v2.2.8.1)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26141
https://www.cve.org/CVERecord?id=CVE-2024-26141
[1] https://security-tracker.debian.org/tracker/CVE-2024-25126
https://www.cve.org/CVERecord?id=CVE-2024-25126
[2] https://security-tracker.debian.org/tracker/CVE-2024-26146
https://www.cve.org/CVERecord?id=CVE-2024-26146
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.1.4-3+deb11u2
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2024 23:46:12 +0300
Source: ruby-rack
Architecture: source
Version: 2.1.4-3+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1064516
Changes:
ruby-rack (2.1.4-3+deb11u2) bullseye-security; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-25126: ReDoS in Content Type header parsing
* CVE-2024-26141: Reject Range headers which are too large
* CVE-2024-26146: ReDoS in Accept header parsing
* Closes: #1064516
Checksums-Sha1:
e840c3306e8cea596b611a04565f85e59bff2e48 2345 ruby-rack_2.1.4-3+deb11u2.dsc
fb78585706dacc2ec7997b7c1af7d6320acd33c3 251772 ruby-rack_2.1.4.orig.tar.gz
398b6cb6427457998dd3e1d22db83437f2138d80 14780
ruby-rack_2.1.4-3+deb11u2.debian.tar.xz
Checksums-Sha256:
49f54f8f3a7fadd1f2a6a9cb2a73800cf5b3a54e620005f214735f7715ff0c02 2345
ruby-rack_2.1.4-3+deb11u2.dsc
f0b67c0a585d34a135c1434ac2d0bdbb9611726afafc005d9da91a451b1a7855 251772
ruby-rack_2.1.4.orig.tar.gz
ff8697ec5799cd71a7995f601f67639aa747447fbadf7f1012e968597b18f965 14780
ruby-rack_2.1.4-3+deb11u2.debian.tar.xz
Files:
a2e328e5b24577e914bc62e8e28de814 2345 ruby optional
ruby-rack_2.1.4-3+deb11u2.dsc
92633b2d98f6caa2fdaebcd0b15eb42d 251772 ruby optional
ruby-rack_2.1.4.orig.tar.gz
862f1e6641c5f34de6a892857bdef19f 14780 ruby optional
ruby-rack_2.1.4-3+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY7eyoACgkQiNJCh6LY
mLGHbw/+OP0+3O50ZlSIP2vbZUuw6+ddp56oMRl2V6/nNsuV7zrMp0KDZxPLAAnC
AAkGBKRSHqQw6SaU2SFG2qs3MCe0nRNNT4/rKaGKe06J7o1BEgtFV9vcHEWzvamn
zcL6bZIk8ybCKzGoZIC7SsDF6A9jDEu455GsLwGaD+Xfqpj2AJfdrFk05TZaHAKz
3PvUtM6wscwAis1uO1T3AFeGSmMPhT+4wmFY4VKMc3FB5/XoZpr/6xrqyJnrNK0b
LC6Dhcl0mvkguSMgZTzaxRn+x9jOP27YGACz+ScJzT5czF1AJrYI1FAkoOF/V5ol
mrBInyOWGIFHM5thCr6eGpiON/c5336qECUKhJZuxXEdUq9a40WAksiipaj4CI7v
6pwp3xYtS4c6y5yX1mpFkHdwwuN6OWiJ2h3OuB37Kqvcw3AN64grI/bMTJvUOIM2
S1qWxLZp59ha7iyhlYI7DD0jPe0oewmJmi/J+yQElfdoUFsLc7az0zwZ+WNaWz6f
wKjk8yb2fnMdoZICF9vd01aBcij11+StqwxeUnI1pffSxQvg++BlR/gn/p/pRzJN
nL137Gys72DeoQF6u/F5kW2sbRNVuDEi4Ds2BaxtfFW6mHEu7SdUz9DHod+OfVpT
p5JQ8YUVKeRLlfX+QA/27QjAEp4SPc9aaIeFyUBVoh108vpIYxU=
=kgwp
-----END PGP SIGNATURE-----
pgpC3YURqJ1DC.pgp
Description: PGP signature
--- End Message ---
