Your message dated Fri, 14 Nov 2025 16:07:03 +0000
with message-id <[email protected]>
and subject line Bug#1117627: fixed in ruby-rack 2.2.20-0+deb12u1
has caused the Debian Bug report #1117627,
regarding ruby-rack: CVE-2025-61770 CVE-2025-61772
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117627: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.2.13-1~deb12u1
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2025-61770[0] and CVE-2025-61772[1].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61770
https://www.cve.org/CVERecord?id=CVE-2025-61770
https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
[1] https://security-tracker.debian.org/tracker/CVE-2025-61772
https://www.cve.org/CVERecord?id=CVE-2025-61772
https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.2.20-0+deb12u1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Oct 2025 09:54:27 +0100
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 2.2.20-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1104927 1116431 1117627 1117628 1117855 1117856
Changes:
ruby-rack (2.2.20-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream version 2.2.20.
- CVE-2025-32441: Rack session can be restored after deletion.
- CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion.
- CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion via semicolon-separated parameters.
- CVE-2025-61770: Unbounded multipart preamble buffering enables DoS
(memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large non‑file fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61772: Multipart parser buffers unbounded per-part headers,
enabling DoS (memory exhaustion).
- CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead
to memory exhaustion.
- CVE-2025-61780 Improper handling of headers in Rack::Sendfile may
allow proxy bypass.
- Closes: #1104927, #1116431, #1117855, #1117856, #1117627, #1117628
Checksums-Sha1:
d518b47b7cc8cb8f4f987b223f3878a69a6bb1c3 2404 ruby-rack_2.2.20-0+deb12u1.dsc
7cef25f429e85179f60db84c3279c752f44e9c46 286135 ruby-rack_2.2.20.orig.tar.gz
68cb81ce8a6c1a2acaf3f3a9e316b09eacce6f1e 9752
ruby-rack_2.2.20-0+deb12u1.debian.tar.xz
56791927016bf91f51235b88f5763bd7b78d8fe3 15834
ruby-rack_2.2.20-0+deb12u1_source.buildinfo
Checksums-Sha256:
c7618d73d2111071b9db6094c104faa8d40555d0e3f6b87ab088f477aae65e47 2404
ruby-rack_2.2.20-0+deb12u1.dsc
c8111414e98f9f1085b6ef53ea39ca83fd852aed7f36417da3b31c5673dde3b3 286135
ruby-rack_2.2.20.orig.tar.gz
ee4cea2b728f93cf4a4a72acc26d26eacdb09b6e469c82df25415828b4f2a94d 9752
ruby-rack_2.2.20-0+deb12u1.debian.tar.xz
48ab28513222a91cf759c06aee9c51db0a8707866ea5369809bc4f6b8f02927e 15834
ruby-rack_2.2.20-0+deb12u1_source.buildinfo
Files:
e64efcb394f386a63dd243819f0710c8 2404 ruby optional
ruby-rack_2.2.20-0+deb12u1.dsc
465172a6fbc4b894b8cba487913e5ac3 286135 ruby optional
ruby-rack_2.2.20.orig.tar.gz
81ef06d604ecb6bb112c9765f07db95d 9752 ruby optional
ruby-rack_2.2.20-0+deb12u1.debian.tar.xz
82ba67629197487b62f961f7dd6a0a5e 15834 ruby optional
ruby-rack_2.2.20-0+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkEnfgTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLljK6EAC0VHXmJvzX53flawZGJNiRPSMi7Ju4
WcPrgCZTCqVtE6mu5PVIKyXXSMTCFoPdk7R9Prvut3MU4iZA9FkS45lMrtYAucpJ
6fm6Zlq1QyBjH8cj5xUdmKuXGT/ZIasl5iPC64ueE47cAz7VV5GEgaDyTKGyCsJB
Z0qUJI08x6nroHqnIMC7LtRXtP0kQjcYigxbFiMB7ZV0MO8kNH/I64uyA56BFkt8
39umGZvWt7yRDHQ/HdOwcUdIiw6OWLs+PIqDrto8xvnl3r3KwDaHV4qSbeOOWmTg
Uv0zjiyuIpeHVA0wBuODRdBPx3LzlaXTOAeqGZykkaT6ziMT4gL1c0WdYlKZUahz
IUB74LbwJBF5HRYuS44U33XiARJCU1Be+822qv/G4X7Oo549bXriZ6qaet5F5tq3
zK4gkR5RI1TxUgDiwGdgJi/MnJZFutYfqhvyQaINflWBe36u2+Hd+QIef607CLov
DpzIJMsYPDWDCZOtFS7hFlTeEc1heYPCr69nH4ybdAZXYFVUGvmZpxJ12nAWUhA0
Zjx+VTg/8CCnSzCYwXngdfmVNCYTuRmdLtcj/A0J9dKmvbJWzj/+1Q/n05P8wh4O
y5eFq3CCJKMpznKFXS+UIj3mn3b7BwSOg77+hMMerXqQRjtN4ELUkaIAiGspmZKp
wjK1W4btZypmEQ==
=cLEO
-----END PGP SIGNATURE-----
pgpQCy0zjvCHj.pgp
Description: PGP signature
--- End Message ---
