Register | Log in

ruby-rack

modular Ruby webserver interface

Choose email to subscribe with

general

source: ruby-rack (main)
version: 3.2.4-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Lucas Nussbaum [DMD] – Paul van Tilburg [DMD] – Utkarsh Gupta [DMD] – Chris Lamb [DMD] – Lucas Kanashiro [DMD] – Youhei SASAKI [DMD] [DM]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.1.4-3+deb11u2
o-o-sec: 2.1.4-3+deb11u4
oldstable: 2.2.20-0+deb12u1
old-sec: 2.2.20-0+deb12u1
stable: 3.1.18-1~deb13u1
stable-sec: 3.1.18-1~deb13u1
testing: 3.1.18-1
unstable: 3.2.4-1

versioned links

2.1.4-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.4-3+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.20-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.18-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-rack

action needed

A new upstream version is available: 3.2.5 high

A new upstream version 3.2.5 is available, you should consider packaging it.

Created: 2026-02-17 Last update: 2026-02-22 09:32

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-02-20 10:01

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-02-20 10:01

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-02-20 10:01

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-02-20 10:01

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVE-2026-25500: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Created: 2026-02-19 Last update: 2026-02-20 10:01

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-02-18 Last update: 2026-02-22 14:01

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-08-19 06:28

testing migrations

This package is part of the ongoing testing transition known as auto-upperlimit-ruby-rack. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for ruby-rack (3.1.18-1 to 3.2.4-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ migrating ruby-rack/3.2.4-1/amd64 to testing makes redmine/6.0.6+ds-6/amd64 uninstallable
- ∙ ∙ migrating ruby-rack/3.2.4-1/amd64 to testing makes Build-Depends of src:redmine uninstallable
- ∙ ∙ migrating ruby-rack/3.2.4-1/arm64 to testing makes redmine/6.0.6+ds-6/arm64 uninstallable
- ∙ ∙ Autopkgtest for rails/2:7.2.2.2+dfsg-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for ruby-propshaft/1.2.1-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for ruby-rack/3.2.4-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for ruby-rails-propshaft/1.1.0-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/ruby-rack.html
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- ∙ ∙ 9 days old (needed 5 days)
- Not considered

news

[2026-02-12] Accepted ruby-rack 3.2.4-1 (source) into unstable (Simon Quigley)
[2025-11-14] Accepted ruby-rack 2.2.20-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-05] Accepted ruby-rack 3.1.18-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-03] Accepted ruby-rack 2.2.20-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-03] Accepted ruby-rack 3.1.18-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-01] Accepted ruby-rack 2.1.4-3+deb11u4 (source) into oldoldstable-security (Utkarsh Gupta)
[2025-11-01] ruby-rack 3.1.18-1 MIGRATED to testing (Debian testing watch)
[2025-10-30] Accepted ruby-rack 3.1.18-1 (source) into unstable (Utkarsh Gupta)
[2025-07-21] ruby-rack 3.1.16-0.1 MIGRATED to testing (Debian testing watch)
[2025-07-15] Accepted ruby-rack 3.1.16-0.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-06-13] Accepted ruby-rack 3.1.12-2~exp1 (source) into experimental (Gabriel Lima de Moraes) (signed by: Lucas Kanashiro)
[2025-03-27] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-25] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-24] Accepted ruby-rack 2.1.4-3+deb11u3 (source) into oldstable-security (Adrian Bunk)
[2025-03-24] ruby-rack 3.1.12-1 MIGRATED to testing (Debian testing watch)
[2025-03-19] Accepted ruby-rack 3.1.12-1 (source) into unstable (Blair Noctis)
[2025-03-07] Accepted ruby-rack 3.1.9-2 (source) into unstable (Utkarsh Gupta)
[2025-02-12] ruby-rack 3.0.8-4 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted ruby-rack 3.1.9-1~exp1 (source) into experimental (Lucas Kanashiro)
[2025-02-05] Accepted ruby-rack 3.0.8-4 (source) into unstable (Antonio Terceiro)
[2025-02-04] Accepted ruby-rack 3.0.8-3 (source) into unstable (Antonio Terceiro)
[2025-01-28] Accepted ruby-rack 3.0.8-2 (source) into unstable (Utkarsh Gupta)
[2024-05-25] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-25] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-09] ruby-rack 2.2.7-1.1 MIGRATED to testing (Debian testing watch)
[2024-05-04] Accepted ruby-rack 2.2.7-1.1 (source) into unstable (Adrian Bunk)
[2024-04-29] Accepted ruby-rack 2.0.6-3+deb10u4 (source) into oldoldstable (Adrian Bunk)
[2023-10-28] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)

1
2

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.1.18-1build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing