Register | Log in

ruby-rack

modular Ruby webserver interface

Choose email to subscribe with

general

source: ruby-rack (main)
version: 3.2.5-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Chris Lamb [DMD] – Youhei SASAKI [DMD] [DM] – Paul van Tilburg [DMD] – Lucas Nussbaum [DMD] – Lucas Kanashiro [DMD] – Utkarsh Gupta [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.1.4-3+deb11u2
o-o-sec: 2.1.4-3+deb11u4
oldstable: 2.2.20-0+deb12u1
old-sec: 2.2.20-0+deb12u1
stable: 3.1.18-1~deb13u1
stable-sec: 3.1.18-1~deb13u1
testing: 3.1.18-1
unstable: 3.2.5-1

versioned links

2.1.4-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.4-3+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.20-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.18-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-rack

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-03-10 09:32

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-03-10 09:32

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-03-10 09:32

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-03-10 09:32

3 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 4539174a5578fb2c9d56741de89a505b976d80c3
Author: Utkarsh Gupta <utkarsh@ubuntu.com>
Date:   Tue Mar 10 08:33:26 2026 +0530

    Update d/ch for 3.2.5-1 release

commit bf8be5508d0f01c741d4193b8c8d794451f19b39
Merge: 94ac2ff a8885f1
Author: Utkarsh Gupta <utkarsh@ubuntu.com>
Date:   Tue Mar 10 08:32:20 2026 +0530

    Update upstream source from tag 'upstream/3.2.5'
    
    Update to upstream version '3.2.5'
    with Debian dir 07839d09c37e075afe260d276af459db3c4c7a2f

commit a8885f1705f06602d9c44abd13deb28ac809ae40
Author: Utkarsh Gupta <utkarsh@ubuntu.com>
Date:   Tue Mar 10 08:32:16 2026 +0530

    New upstream version 3.2.5

Created: 2026-03-10 Last update: 2026-03-10 09:32

testing migrations

This package is part of the ongoing testing transition known as auto-upperlimit-ruby-rack. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for ruby-rack (3.1.18-1 to 3.2.5-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ migrating ruby-rack/3.2.5-1/amd64 to testing makes redmine/6.0.6+ds-6/amd64 uninstallable
- ∙ ∙ migrating ruby-rack/3.2.5-1/amd64 to testing makes Build-Depends of src:redmine uninstallable
- ∙ ∙ migrating ruby-rack/3.2.5-1/arm64 to testing makes redmine/6.0.6+ds-6/arm64 uninstallable
- ∙ ∙ Autopkgtest for rails/2:7.2.2.2+dfsg-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for ruby-propshaft/1.3.1-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for ruby-rack/3.2.5-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for ruby-rails-propshaft/1.1.0-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for thin/1.8.2+git20250216.de6b618-2: ppc64el: Pass ♻, s390x: Pass ♻
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/ruby-rack.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- ∙ ∙ 5 days old (needed 5 days)
- Not considered

news

[2026-03-10] Accepted ruby-rack 3.2.5-1 (source) into unstable (Utkarsh Gupta)
[2026-02-12] Accepted ruby-rack 3.2.4-1 (source) into unstable (Simon Quigley)
[2025-11-14] Accepted ruby-rack 2.2.20-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-05] Accepted ruby-rack 3.1.18-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-03] Accepted ruby-rack 2.2.20-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-03] Accepted ruby-rack 3.1.18-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-01] Accepted ruby-rack 2.1.4-3+deb11u4 (source) into oldoldstable-security (Utkarsh Gupta)
[2025-11-01] ruby-rack 3.1.18-1 MIGRATED to testing (Debian testing watch)
[2025-10-30] Accepted ruby-rack 3.1.18-1 (source) into unstable (Utkarsh Gupta)
[2025-07-21] ruby-rack 3.1.16-0.1 MIGRATED to testing (Debian testing watch)
[2025-07-15] Accepted ruby-rack 3.1.16-0.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-06-13] Accepted ruby-rack 3.1.12-2~exp1 (source) into experimental (Gabriel Lima de Moraes) (signed by: Lucas Kanashiro)
[2025-03-27] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-25] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-24] Accepted ruby-rack 2.1.4-3+deb11u3 (source) into oldstable-security (Adrian Bunk)
[2025-03-24] ruby-rack 3.1.12-1 MIGRATED to testing (Debian testing watch)
[2025-03-19] Accepted ruby-rack 3.1.12-1 (source) into unstable (Blair Noctis)
[2025-03-07] Accepted ruby-rack 3.1.9-2 (source) into unstable (Utkarsh Gupta)
[2025-02-12] ruby-rack 3.0.8-4 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted ruby-rack 3.1.9-1~exp1 (source) into experimental (Lucas Kanashiro)
[2025-02-05] Accepted ruby-rack 3.0.8-4 (source) into unstable (Antonio Terceiro)
[2025-02-04] Accepted ruby-rack 3.0.8-3 (source) into unstable (Antonio Terceiro)
[2025-01-28] Accepted ruby-rack 3.0.8-2 (source) into unstable (Utkarsh Gupta)
[2024-05-25] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-25] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-09] ruby-rack 2.2.7-1.1 MIGRATED to testing (Debian testing watch)
[2024-05-04] Accepted ruby-rack 2.2.7-1.1 (source) into unstable (Adrian Bunk)
[2024-04-29] Accepted ruby-rack 2.0.6-3+deb10u4 (source) into oldoldstable (Adrian Bunk)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.2.4-1ubuntu1
patches for 3.2.4-1ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing