Your message dated Thu, 27 Mar 2025 00:47:29 +0000
with message-id <e1txbp7-00amby...@fasolo.debian.org>
and subject line Bug#1098257: fixed in ruby-rack 2.2.13-1~deb12u1
has caused the Debian Bug report #1098257,
regarding ruby-rack: CVE-2025-25184
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-rack
Version: 3.0.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-25184[0]:
| Rack provides an interface for developing web applications in Ruby.
| Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can
| be exploited by crafting input that includes newline characters to
| manipulate log entries. The supplied proof-of-concept demonstrates
| injecting malicious content into logs. When a user provides the
| authorization credentials via Rack::Auth::Basic, if success, the
| username will be put in env['REMOTE_USER'] and later be used by
| Rack::CommonLogger for logging purposes. The issue occurs when a
| server intentionally or unintentionally allows a user creation with
| the username contain CRLF and white space characters, or the server
| just want to log every login attempts. If an attacker enters a
| username with CRLF character, the logger will log the malicious
| username with CRLF characters into the logfile. Attackers can break
| log formats or insert fraudulent entries, potentially obscuring real
| activity or injecting malicious data into log files. Versions
| 2.2.11, 3.0.12, and 3.1.10 contain a fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-25184
https://www.cve.org/CVERecord?id=CVE-2025-25184
[1] https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
[2] https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.2.13-1~deb12u1
Done: Utkarsh Gupta <utka...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1098...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 20 Mar 2025 09:27:37 +0530
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 2.2.13-1~deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utka...@debian.org>
Closes: 1098257 1099546 1100444
Changes:
ruby-rack (2.2.13-1~deb12u1) bookworm-security; urgency=medium
.
* New upstream version 2.2.13.
- Fixes: CVE-2025-27610, CVE-2025-27111, CVE-2025-25184.
- Closes: #1100444, #1099546, #1098257.
* Drop patches that have been applied in v2.2.13.
Checksums-Sha1:
f87571b75ab15740441ab6d8879433f54e2d9eee 2404 ruby-rack_2.2.13-1~deb12u1.dsc
276a02e7a586b73127d8443f63eea3c2f2b7e058 280841 ruby-rack_2.2.13.orig.tar.gz
0934653cfef5cb4dac5c81b05d2a14dd944d5c4c 9468
ruby-rack_2.2.13-1~deb12u1.debian.tar.xz
739b3223c7b5a952a4f521cbc7f1ab7f89a1898d 14259
ruby-rack_2.2.13-1~deb12u1_source.buildinfo
Checksums-Sha256:
af7106ba445243847ec3af8250e13ece1668c80372ee360ef4195ff82532d911 2404
ruby-rack_2.2.13-1~deb12u1.dsc
1ce05526c170c6c66ef6bb6dccc1fa4f34f365c0c7cfb1a85a6c585bb3d24ab1 280841
ruby-rack_2.2.13.orig.tar.gz
9fa04d25212e54c8dda371175fc5111984dbebcf8192be0e2cb470014a3ebb2a 9468
ruby-rack_2.2.13-1~deb12u1.debian.tar.xz
46f05aaf9c8d51d0c8ea160cd8e3f7a02390225a31550820c9e3a9d66fcc9ca3 14259
ruby-rack_2.2.13-1~deb12u1_source.buildinfo
Files:
cc25e60f203bab45653b44fbaca8b37b 2404 ruby optional
ruby-rack_2.2.13-1~deb12u1.dsc
b8e6bf56cbc3ccae1394d2c2921679fd 280841 ruby optional
ruby-rack_2.2.13.orig.tar.gz
1d29453bc002a5e5c2179c171a53db55 9468 ruby optional
ruby-rack_2.2.13-1~deb12u1.debian.tar.xz
e71129f38ceddf042d254ee9c8338ef2 14259 ruby optional
ruby-rack_2.2.13-1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmffZ+8THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLluIfEACej+hoENp/PWO8+R7ZwgVLhZVYOV2Z
UxhOkd2gsyAE+iambijzuq+1fKGfZ//+IKr8FuM9GR/eHztXUHzZabU55285zq5t
nU2M09b+HzDSoQupseimu48AAKXRRtzFTTS9GKk0hm65TOMcn7rQ9NPmoqqeixLK
2Cm5JrexjGG09ajNHphSH7uq0AO0z1TTaDnbl/0YnMPKXVNeKqfG4cfKRfNAQ5nB
Fw/q5svvJOjLnRyqOh8F130QIQuq7SDnNuxaI9a3NwLT9j5HEkl6iTid3D+DpOk3
bHFvfujYcfGNCWB+8ZLZtkCK6FRfADRhU0A62nefxRQM83wCx3viTEpXFgxrln+J
vH1P5pewBCTj+UYF8vHWy+7UfnCwqGrxCZ+Q8Sx2eCgDkW4LrGHQiLL68VMoen5W
bdMQ5gS4RMHcqlWnTyKmbwFAdd+PtOuA2wx1JPlOIEmQMBJsJY7Vshj99WkvY5EE
QxoGmIGY4Sc0gWWbU62VosrA3j/69a6hGzWnB9YT9hcF0rBw6pMHLPZjW0gcG5ot
fo68exTLnvZ8ooqN527Oo6xV+grqyI3ISZjkNeddpsGxu6kXCGgDZvYlIR5Yytrz
+DuSyeBtmE9RniCyx6JfzKS/HM33zKE8GPqx8rr80QLkG1lv2IQTV9BlfGh0jAVg
Q1r5h3b5is6uug==
=ph6H
-----END PGP SIGNATURE-----
pgpw2cJWhc8iL.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
