Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted ruby-rack 2.1.4-3+deb11u4 (source) into oldoldstable-security
Date: Sat, 01 Nov 2025 20:20:24 +0000
Signed by: Utkarsh Gupta <utkarsh@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 16:34:03 +0100
Source: ruby-rack
Built-For-Profiles: noudeb
Architecture: source
Version: 2.1.4-3+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@ubuntu.com>
Closes: 1104927 1116431 1117627 1117628 1117855 1117856
Changes:
 ruby-rack (2.1.4-3+deb11u4) bullseye-security; urgency=high
 .
   * Add patch to fix:
     - CVE-2025-32441: Rack session can be restored after deletion.
     - CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
       can lead to memory exhaustion.
     - CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser
       can lead to memory exhaustion via semicolon-separated parameters.
     - CVE-2025-61770: Unbounded multipart preamble buffering enables DoS
       (memory exhaustion).
     - CVE-2025-61771: Multipart parser buffers large non‑file fields
       entirely in memory, enabling DoS (memory exhaustion).
     - CVE-2025-61772: Multipart parser buffers unbounded per-part headers,
       enabling DoS (memory exhaustion).
     - CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead
       to memory exhaustion.
     - CVE-2025-61780 Improper handling of headers in Rack::Sendfile may
       allow proxy bypass.
     - Closes: #1104927, #1116431, #1117855, #1117856, #1117627, #1117628
Checksums-Sha1:
 67cd72f3dee963006ec38bb3184cd14c38c7976b 2374 ruby-rack_2.1.4-3+deb11u4.dsc
 fb78585706dacc2ec7997b7c1af7d6320acd33c3 251772 ruby-rack_2.1.4.orig.tar.gz
 5698089c1ab5e71e31eb8681f2ccb59bd6df89f4 27104 ruby-rack_2.1.4-3+deb11u4.debian.tar.xz
 2482fee6523d220120386964ec0ec9e05b345275 15830 ruby-rack_2.1.4-3+deb11u4_source.buildinfo
Checksums-Sha256:
 671117d6046fe84b8ff1b1e2fbe635b590960b67914fc9de1aab8d1cb8f65a8c 2374 ruby-rack_2.1.4-3+deb11u4.dsc
 f0b67c0a585d34a135c1434ac2d0bdbb9611726afafc005d9da91a451b1a7855 251772 ruby-rack_2.1.4.orig.tar.gz
 f8871d108744ca91aa51ded8d82b210f5a393dfa12e6d7d1706d697a01e86984 27104 ruby-rack_2.1.4-3+deb11u4.debian.tar.xz
 5144488a1589ce0503a0cad42b562aed0734254e07053d9c3928327907df28d2 15830 ruby-rack_2.1.4-3+deb11u4_source.buildinfo
Files:
 fbace6e9cf43be660c2a8e5b66b99c53 2374 ruby optional ruby-rack_2.1.4-3+deb11u4.dsc
 92633b2d98f6caa2fdaebcd0b15eb42d 251772 ruby optional ruby-rack_2.1.4.orig.tar.gz
 3550886f7602ec06a8d69011a83441e0 27104 ruby optional ruby-rack_2.1.4-3+deb11u4.debian.tar.xz
 9785496f54777ddcbf73e17e67e80b48 15830 ruby optional ruby-rack_2.1.4-3+deb11u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkGZ5gTHHV0a2Fyc2hA
dWJ1bnR1LmNvbQAKCRCCPpZ2BsNLlpLIEACqymsbk4BYiDp8SM2a72JhQKOU30te
ZSmCEN7cZkGW/9Ot/nlCVEVx+lbosf1Jp35j+/XNEqbqrfdgw+i9OkVTVGfbvAnS
rSESJ4ia2OvD5PJoHBR+azf6k3J/7CjTTujzs+4lfmfpUlogmCsLIgoAbhR1iZkI
+hvoo5rLABhfUNdyASyhjMb8C4keluUNFzfgN1Ey93Y+71XRLTVMnlsBwVxeeDG6
Tr+vvJJhxOYRqf/Z2tq/Vyzd9003Y/+DhyQexORFVDcIvRbxGl4j4MiqlaGxBK5k
ZZWCjZ3yxli0xIxj/BE6f5VeaB0VwONICEhbaXnGJTjFBWbILrzZSMyjUJ4gKxPY
8NJDMoyN4HrjN3re/2/D94BxtDVc+eSkvWryuaqBFFXCVrKgGABdZNDKquhjoRoH
yI7H0MzkrulHQNJOT1lsflnQ1LYtaXzObBCc/s43NMOyAq4iLi6zJZ4sbt7a6+p0
IEu8jPcXv7JllXvXx0qXBBsPrCfw81LxYWPFPvi+SIP0fHkrto+sv+FyxHKvzE3c
QgVumXuwuNggLxHaSXuV9JZmg2b7WpwVWM9PIpMarrgv8cg7QaOzG3ZnBJ5neCI/
jaoTMljlTI3QFSJz+bnkk1YFQNQG9NRr/eJ05nMOw1qpCnPrDqMOAmJhUebaUK6o
KDjVxNnQrTfdzw==
=lyX1
-----END PGP SIGNATURE-----
News for package ruby-rack
