Control: tags -1 patch
I am uploading a NMU to fix this.
Please find the debdiff attached.
diff -Nru ruby-rack-session-2.1.0/debian/changelog
ruby-rack-session-2.1.1/debian/changelog
--- ruby-rack-session-2.1.0/debian/changelog 2025-03-08 16:10:24.000000000
+0100
+++ ruby-rack-session-2.1.1/debian/changelog 2025-07-15 13:10:44.000000000
+0200
@@ -1,3 +1,10 @@
+ruby-rack-session (2.1.1-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream version 2.1.1. (Closes: #1104928, CVE-2025-46336)
+
+ -- Bastian Germann <b...@debian.org> Tue, 15 Jul 2025 13:10:44 +0200
+
ruby-rack-session (2.1.0-1) unstable; urgency=medium
* New upstream version 2.1.0.
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/pool.rb
ruby-rack-session-2.1.1/lib/rack/session/pool.rb
--- ruby-rack-session-2.1.0/lib/rack/session/pool.rb 2025-01-04
08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/pool.rb 2025-05-06
12:54:57.000000000 +0200
@@ -53,6 +53,7 @@
def write_session(req, session_id, new_session, options)
@mutex.synchronize do
+ return false unless get_session_with_fallback(session_id)
@pool.store session_id.private_id, new_session
session_id
end
@@ -62,7 +63,12 @@
@mutex.synchronize do
@pool.delete(session_id.public_id)
@pool.delete(session_id.private_id)
- generate_sid(use_mutex: false) unless options[:drop]
+
+ unless options[:drop]
+ sid = generate_sid(use_mutex: false)
+ @pool.store(sid.private_id, {})
+ sid
+ end
end
end
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/version.rb
ruby-rack-session-2.1.1/lib/rack/session/version.rb
--- ruby-rack-session-2.1.0/lib/rack/session/version.rb 2025-01-04
08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/version.rb 2025-05-06
12:54:57.000000000 +0200
@@ -5,6 +5,6 @@
module Rack
module Session
- VERSION = "2.1.0"
+ VERSION = "2.1.1"
end
end
diff -Nru ruby-rack-session-2.1.0/releases.md
ruby-rack-session-2.1.1/releases.md
--- ruby-rack-session-2.1.0/releases.md 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/releases.md 2025-05-06 12:54:57.000000000 +0200
@@ -1,5 +1,9 @@
# Releases
+## v2.1.1
+
+ - Prevent `Rack::Session::Pool` from recreating deleted sessions
[CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+
## v2.1.0
- Improved compatibility with Ruby 3.3+ and Rack 3+.
diff -Nru ruby-rack-session-2.1.0/test/spec_session_pool.rb
ruby-rack-session-2.1.1/test/spec_session_pool.rb
--- ruby-rack-session-2.1.0/test/spec_session_pool.rb 2025-01-04
08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/test/spec_session_pool.rb 2025-05-06
12:54:57.000000000 +0200
@@ -288,4 +288,52 @@
res = Rack::MockRequest.new(app).get("/")
res["Set-Cookie"].must_be_nil
end
+
+ user_id_session = Rack::Lint.new(lambda do |env|
+ session = env["rack.session"]
+
+ case env["PATH_INFO"]
+ when "/login"
+ session[:user_id] = 1
+ when "/logout"
+ if session[:user_id].nil?
+ raise "User not logged in"
+ end
+
+ session.delete(:user_id)
+ session.options[:renew] = true
+ when "/slow"
+ Fiber.yield
+ end
+
+ Rack::Response.new(session.inspect).to_a
+ end)
+
+ it "doesn't allow session id to be reused" do
+ app = Rack::Session::Pool.new(user_id_session)
+
+ login_response = Rack::MockRequest.new(app).get("/login")
+ login_cookie = login_response["Set-Cookie"]
+
+ slow_request = Fiber.new do
+ Rack::MockRequest.new(app).get("/slow", "HTTP_COOKIE" => login_cookie)
+ end
+ slow_request.resume
+
+ # Check that the session is valid:
+ response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
login_cookie)
+ response.body.must_equal({"user_id" => 1}.to_s)
+
+ logout_response = Rack::MockRequest.new(app).get("/logout", "HTTP_COOKIE"
=> login_cookie)
+ logout_cookie = logout_response["Set-Cookie"]
+
+ # Check that the session id is different after logout:
+ login_cookie[session_match].wont_equal logout_cookie[session_match]
+
+ slow_response = slow_request.resume
+
+ # Check that the cookie can't be reused:
+ response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
login_cookie)
+ response.body.must_equal "{}"
+ end
end
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
