Rubygem-Rack, WebkitGTK, Skopeo, and more updates for Fedora

Fedora Linux 9190 Published by

Fedora has released several security updates for various packages, including rubygem-rack, webkitgtk, skopeo, firefox, and rubygem-rack. The updates address multiple vulnerabilities, including denial of service (DoS) and memory exhaustion attacks, as well as potential proxy bypasses and log injection issues.

Fedora 41 Update: rubygem-rack-2.2.21-1.fc41
Fedora 42 Update: webkitgtk-2.50.1-1.fc42
Fedora 42 Update: rubygem-rack-2.2.21-9.fc42
Fedora 42 Update: skopeo-1.20.0-4.fc42
Fedora 43 Update: firefox-145.0-2.fc43
Fedora 43 Update: rubygem-rack-3.1.19-1.fc43




[SECURITY] Fedora 41 Update: rubygem-rack-2.2.21-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-a35addbf9b
2025-11-13 01:22:15.119640+00:00
--------------------------------------------------------------------------------

Name : rubygem-rack
Product : Fedora 41
Version : 2.2.21
Release : 1.fc41
URL : https://rack.github.io/
Summary : A modular Ruby webserver interface
Description :
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.

--------------------------------------------------------------------------------
Update Information:

Update to Rack 2.2.21
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 4 2025 V??t Ondruch [vondruch@redhat.com] - 1:2.2.21-1
- Update to Rack 2.2.21
- CVE-2025-25184: Possible Log Injection in Rack::CommonLogger
Resolves: rhbz#2345712
- CVE-2025-27111: Escape Sequence Injection vulnerability in Rack lead to
Possible Log Injection
Resolves: rhbz#2349978
- CVE-2025-27610: Local File Inclusion in Rack::Static
Resolves: rhbz#2351278
- CVE-2025-46727: Unbounded-Parameter DoS in Rack::QueryParser
Resolves: rhbz#2364999
- CVE-2025-32441: Rack Session Reuse Vulnerability
Resolves: rhbz#2365052
- CVE-2025-59830: Rack QueryParser has an unsafe default allowing params_limit
bypass via semicolon-separated parameters
Resolves: rhbz#2402987
- CVE-2025-61919: Unbounded read in `Rack::Request` form parsing can lead to
memory exhaustion
Resolves: rhbz#2403524
- CVE-2025-61780: Improper handling of headers in `Rack::Sendfile` may allow
proxy bypass
Resolves: rhbz#2403529
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2164714 - CVE-2022-44571 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164714
[ 2 ] Bug #2164719 - CVE-2022-44570 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164719
[ 3 ] Bug #2164722 - CVE-2022-44572 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164722
[ 4 ] Bug #2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2176477
[ 5 ] Bug #2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2179649
[ 6 ] Bug #2265593 - CVE-2024-25126 rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2265593
[ 7 ] Bug #2265594 - CVE-2024-26141 rubygem-rack: Possible DoS Vulnerability with Range Header in Rack
https://bugzilla.redhat.com/show_bug.cgi?id=2265594
[ 8 ] Bug #2265595 - CVE-2024-26146 rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2265595
[ 9 ] Bug #2345301 - CVE-2025-25184 rubygem-rack: Possible Log Injection in Rack::CommonLogger
https://bugzilla.redhat.com/show_bug.cgi?id=2345301
[ 10 ] Bug #2349810 - CVE-2025-27111 rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
https://bugzilla.redhat.com/show_bug.cgi?id=2349810
[ 11 ] Bug #2351231 - CVE-2025-27610 rack: rubygem-rack: Local File Inclusion in Rack::Static
https://bugzilla.redhat.com/show_bug.cgi?id=2351231
[ 12 ] Bug #2364965 - CVE-2025-32441 rack: Rack Session Reuse Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=2364965
[ 13 ] Bug #2364966 - CVE-2025-46727 rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser
https://bugzilla.redhat.com/show_bug.cgi?id=2364966
[ 14 ] Bug #2398167 - CVE-2025-59830 rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters
https://bugzilla.redhat.com/show_bug.cgi?id=2398167
[ 15 ] Bug #2402174 - CVE-2025-61770 rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402174
[ 16 ] Bug #2402175 - CVE-2025-61771 rack: Rack's multipart parser buffers large non???file fields entirely in memory, enabling DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402175
[ 17 ] Bug #2402200 - CVE-2025-61772 rack: Rack memory exhaustion denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=2402200
[ 18 ] Bug #2403126 - CVE-2025-61780 rubygem-rack: Improper handling of headers in `Rack::Sendfile` may allow proxy bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2403126
[ 19 ] Bug #2403180 - CVE-2025-61919 rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
https://bugzilla.redhat.com/show_bug.cgi?id=2403180
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-a35addbf9b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: webkitgtk-2.50.1-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-4ffeeb504f
2025-11-13 01:07:00.209314+00:00
--------------------------------------------------------------------------------

Name : webkitgtk
Product : Fedora 42
Version : 2.50.1
Release : 1.fc42
URL : https://www.webkitgtk.org/
Summary : GTK web content engine library
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform.

--------------------------------------------------------------------------------
Update Information:

Update to WebKitGTK 2.50.1:
Improve text rendering performance.
Fix audio playback broken on instagram.
Fix rendering of layers with fractional transforms.
Fix several crashes and rendering issues.
Fix CVE-2025-43343
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 13 2025 Michael Catanzaro [mcatanzaro@redhat.com] - 2.50.1-1
- Update to 2.50.1
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-4ffeeb504f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 42 Update: rubygem-rack-2.2.21-9.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-eae2126736
2025-11-13 01:07:00.209294+00:00
--------------------------------------------------------------------------------

Name : rubygem-rack
Product : Fedora 42
Version : 2.2.21
Release : 9.fc42
URL : https://rack.github.io/
Summary : A modular Ruby webserver interface
Description :
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.

--------------------------------------------------------------------------------
Update Information:

Update to Rack 2.2.21
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 4 2025 V??t Ondruch [vondruch@redhat.com] - 1:2.2.21-1
- Update to Rack 2.2.21
- CVE-2024-25126: Denial of Service Vulnerability in Rack Content-Type Parsing
Resolves: rhbz#2265596
- CVE-2024-26141: Possible DoS Vulnerability with Range Header in Rack
Resolves: rhbz#2265597
- CVE-2024-26146: Possible Denial of Service Vulnerability in Rack Header
Parsing
Resolves: rhbz#2265598
- CVE-2025-61780: Improper handling of headers in `Rack::Sendfile` may allow
proxy bypass
Resolves: rhbz#2403530
- CVE-2025-61919: Unbounded read in `Rack::Request` form parsing can lead to
memory exhaustion
Resolves: rhbz#2403525
- CVE-2025-59830: Rack QueryParser has an unsafe default allowing params_limit
bypass via semicolon-separated parameters
Resolves: rhbz#2402988
- CVE-2025-32441: Rack Session Reuse Vulnerability
Resolves: rhbz#2365053
- CVE-2025-46727: Unbounded-Parameter DoS in Rack::QueryParser
Resolves: rhbz#2365000
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2164714 - CVE-2022-44571 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164714
[ 2 ] Bug #2164719 - CVE-2022-44570 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164719
[ 3 ] Bug #2164722 - CVE-2022-44572 rubygem-rack: denial of service in Content-Disposition parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2164722
[ 4 ] Bug #2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2176477
[ 5 ] Bug #2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2179649
[ 6 ] Bug #2265593 - CVE-2024-25126 rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2265593
[ 7 ] Bug #2265594 - CVE-2024-26141 rubygem-rack: Possible DoS Vulnerability with Range Header in Rack
https://bugzilla.redhat.com/show_bug.cgi?id=2265594
[ 8 ] Bug #2265595 - CVE-2024-26146 rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2265595
[ 9 ] Bug #2345301 - CVE-2025-25184 rubygem-rack: Possible Log Injection in Rack::CommonLogger
https://bugzilla.redhat.com/show_bug.cgi?id=2345301
[ 10 ] Bug #2349810 - CVE-2025-27111 rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
https://bugzilla.redhat.com/show_bug.cgi?id=2349810
[ 11 ] Bug #2351231 - CVE-2025-27610 rack: rubygem-rack: Local File Inclusion in Rack::Static
https://bugzilla.redhat.com/show_bug.cgi?id=2351231
[ 12 ] Bug #2364965 - CVE-2025-32441 rack: Rack Session Reuse Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=2364965
[ 13 ] Bug #2364966 - CVE-2025-46727 rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser
https://bugzilla.redhat.com/show_bug.cgi?id=2364966
[ 14 ] Bug #2398167 - CVE-2025-59830 rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters
https://bugzilla.redhat.com/show_bug.cgi?id=2398167
[ 15 ] Bug #2402174 - CVE-2025-61770 rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402174
[ 16 ] Bug #2402175 - CVE-2025-61771 rack: Rack's multipart parser buffers large non???file fields entirely in memory, enabling DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402175
[ 17 ] Bug #2402200 - CVE-2025-61772 rack: Rack memory exhaustion denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=2402200
[ 18 ] Bug #2403126 - CVE-2025-61780 rubygem-rack: Improper handling of headers in `Rack::Sendfile` may allow proxy bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2403126
[ 19 ] Bug #2403180 - CVE-2025-61919 rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
https://bugzilla.redhat.com/show_bug.cgi?id=2403180
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-eae2126736' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: skopeo-1.20.0-4.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-01148de25a
2025-11-13 01:07:00.209238+00:00
--------------------------------------------------------------------------------

Name : skopeo
Product : Fedora 42
Version : 1.20.0
Release : 4.fc42
URL : https://github.com/containers/skopeo
Summary : Inspect container images and repositories on registries
Description :
Command line utility to inspect images and repositories directly on Docker
registries without the need to pull them

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2025-58189 and CVE-2025-61725
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 31 2025 Lokesh Mandvekar [lsm5@redhat.com] - 1:1.20.0-4
- Resolves: CVE-2025-58189, CVE-2025-61725
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408094 - CVE-2025-58189 skopeo: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2408094
[ 2 ] Bug #2408689 - CVE-2025-61725 skopeo: Excessive CPU consumption in ParseAddress in net/mail [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2408689
[ 3 ] Bug #2409564 - CVE-2025-61723 skopeo: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2409564
[ 4 ] Bug #2410515 - CVE-2025-58185 skopeo: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2410515
[ 5 ] Bug #2411413 - CVE-2025-58188 skopeo: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2411413
[ 6 ] Bug #2412818 - CVE-2025-58183 skopeo: Unbounded allocation when parsing GNU sparse map [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2412818
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-01148de25a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 43 Update: firefox-145.0-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-2d9e01e0fc
2025-11-13 00:50:21.805608+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 43
Version : 145.0
Release : 2.fc43
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Updated to latest upstream (145.0)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 11 2025 Martin Stransky [stransky@redhat.com] - 145.0-2
- Updated to 145.0 B2
* Wed Nov 5 2025 Martin Stransky [stransky@redhat.com] - 145.0-1
- Updated to 145.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-2d9e01e0fc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 43 Update: rubygem-rack-3.1.19-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-b6e0f437b6
2025-11-13 00:50:21.805553+00:00
--------------------------------------------------------------------------------

Name : rubygem-rack
Product : Fedora 43
Version : 3.1.19
Release : 1.fc43
URL : https://github.com/rack/rack
Summary : A modular Ruby webserver interface
Description :
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.

--------------------------------------------------------------------------------
Update Information:

Update to Rack 3.1.19
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 4 2025 V??t Ondruch [vondruch@redhat.com] - 1:3.1.19-1
- Update to Rack 3.1.19
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2402174 - CVE-2025-61770 rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402174
[ 2 ] Bug #2402175 - CVE-2025-61771 rack: Rack's multipart parser buffers large non???file fields entirely in memory, enabling DoS (memory exhaustion)
https://bugzilla.redhat.com/show_bug.cgi?id=2402175
[ 3 ] Bug #2402200 - CVE-2025-61772 rack: Rack memory exhaustion denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=2402200
[ 4 ] Bug #2403126 - CVE-2025-61780 rubygem-rack: Improper handling of headers in `Rack::Sendfile` may allow proxy bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2403126
[ 5 ] Bug #2403180 - CVE-2025-61919 rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
https://bugzilla.redhat.com/show_bug.cgi?id=2403180
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-b6e0f437b6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Mesa 25.2.7 released

Firefox, Bind, Python-KDCProxy, and more updates for RHEL

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...