[DLA 4357-1] ruby-rack security update
[SECURITY] [DLA 4357-1] ruby-rack security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4357-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
November 01, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : ruby-rack
Version : 2.1.4-3+deb11u4
CVE ID : CVE-2025-32441 CVE-2025-46727 CVE-2025-59830
CVE-2025-61770 CVE-2025-61771 CVE-2025-61772
CVE-2025-61780 CVE-2025-61919
Debian Bug : 1104927 1116431 1117855 1117856 1117627 1117628
Multiple vulnerabilities were found in ruby-rack, a modular Ruby
webserver interface, as follows:
- CVE-2025-32441: Rack session can be restored after deletion.
- CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion.
- CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion via semicolon-separated parameters.
- CVE-2025-61770: Unbounded multipart preamble buffering enables
DoS (memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large non‑file fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61772: Multipart parser buffers unbounded per-part
headers, enabling DoS (memory exhaustion).
- CVE-2025-61919: Unbounded read in Rack::Request form parsing can
lead to memory exhaustion.
- CVE-2025-61780: Improper handling of headers in Rack::Sendfile
may allow proxy bypass.
For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u4.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
