-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Oct 2025 09:54:27 +0100 Source: ruby-rack Built-For-Profiles: noudeb Architecture: source Version: 2.2.20-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utkarsh@debian.org> Closes: 1104927 1116431 1117627 1117628 1117855 1117856 Changes: ruby-rack (2.2.20-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 2.2.20. - CVE-2025-32441: Rack session can be restored after deletion. - CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion. - CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters. - CVE-2025-61770: Unbounded multipart preamble buffering enables DoS (memory exhaustion). - CVE-2025-61771: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion). - CVE-2025-61772: Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion). - CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion. - CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass. - Closes: #1104927, #1116431, #1117855, #1117856, #1117627, #1117628 Checksums-Sha1: d518b47b7cc8cb8f4f987b223f3878a69a6bb1c3 2404 ruby-rack_2.2.20-0+deb12u1.dsc 7cef25f429e85179f60db84c3279c752f44e9c46 286135 ruby-rack_2.2.20.orig.tar.gz 68cb81ce8a6c1a2acaf3f3a9e316b09eacce6f1e 9752 ruby-rack_2.2.20-0+deb12u1.debian.tar.xz 56791927016bf91f51235b88f5763bd7b78d8fe3 15834 ruby-rack_2.2.20-0+deb12u1_source.buildinfo Checksums-Sha256: c7618d73d2111071b9db6094c104faa8d40555d0e3f6b87ab088f477aae65e47 2404 ruby-rack_2.2.20-0+deb12u1.dsc c8111414e98f9f1085b6ef53ea39ca83fd852aed7f36417da3b31c5673dde3b3 286135 ruby-rack_2.2.20.orig.tar.gz ee4cea2b728f93cf4a4a72acc26d26eacdb09b6e469c82df25415828b4f2a94d 9752 ruby-rack_2.2.20-0+deb12u1.debian.tar.xz 48ab28513222a91cf759c06aee9c51db0a8707866ea5369809bc4f6b8f02927e 15834 ruby-rack_2.2.20-0+deb12u1_source.buildinfo Files: e64efcb394f386a63dd243819f0710c8 2404 ruby optional ruby-rack_2.2.20-0+deb12u1.dsc 465172a6fbc4b894b8cba487913e5ac3 286135 ruby optional ruby-rack_2.2.20.orig.tar.gz 81ef06d604ecb6bb112c9765f07db95d 9752 ruby optional ruby-rack_2.2.20-0+deb12u1.debian.tar.xz 82ba67629197487b62f961f7dd6a0a5e 15834 ruby optional ruby-rack_2.2.20-0+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkEnfgTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLljK6EAC0VHXmJvzX53flawZGJNiRPSMi7Ju4 WcPrgCZTCqVtE6mu5PVIKyXXSMTCFoPdk7R9Prvut3MU4iZA9FkS45lMrtYAucpJ 6fm6Zlq1QyBjH8cj5xUdmKuXGT/ZIasl5iPC64ueE47cAz7VV5GEgaDyTKGyCsJB Z0qUJI08x6nroHqnIMC7LtRXtP0kQjcYigxbFiMB7ZV0MO8kNH/I64uyA56BFkt8 39umGZvWt7yRDHQ/HdOwcUdIiw6OWLs+PIqDrto8xvnl3r3KwDaHV4qSbeOOWmTg Uv0zjiyuIpeHVA0wBuODRdBPx3LzlaXTOAeqGZykkaT6ziMT4gL1c0WdYlKZUahz IUB74LbwJBF5HRYuS44U33XiARJCU1Be+822qv/G4X7Oo549bXriZ6qaet5F5tq3 zK4gkR5RI1TxUgDiwGdgJi/MnJZFutYfqhvyQaINflWBe36u2+Hd+QIef607CLov DpzIJMsYPDWDCZOtFS7hFlTeEc1heYPCr69nH4ybdAZXYFVUGvmZpxJ12nAWUhA0 Zjx+VTg/8CCnSzCYwXngdfmVNCYTuRmdLtcj/A0J9dKmvbJWzj/+1Q/n05P8wh4O y5eFq3CCJKMpznKFXS+UIj3mn3b7BwSOg77+hMMerXqQRjtN4ELUkaIAiGspmZKp wjK1W4btZypmEQ== =cLEO -----END PGP SIGNATURE-----
