Debian Package Tracker
Register | Log in
Subscribe

ruby-rack

modular Ruby webserver interface

Choose email to subscribe with

general
  • source: ruby-rack (main)
  • version: 3.1.16-0.1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Chris Lamb [DMD] – Youhei SASAKI [DMD] [DM] – Paul van Tilburg [DMD] – Lucas Nussbaum [DMD] – Lucas Kanashiro [DMD] – Utkarsh Gupta [DMD]
  • arch: all
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.1.4-3+deb11u2
  • o-o-sec: 2.1.4-3+deb11u3
  • oldstable: 2.2.13-1~deb12u1
  • old-sec: 2.2.13-1~deb12u1
  • stable: 3.1.16-0.1
  • testing: 3.1.16-0.1
  • unstable: 3.1.16-0.1
versioned links
  • 2.1.4-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.1.4-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.13-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.1.16-0.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-rack
action needed
A new upstream version is available: 3.2.1 high
A new upstream version 3.2.1 is available, you should consider packaging it.
Created: 2025-07-31 Last update: 2025-09-07 09:01
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2025-32441: Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
  • CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
Created: 2025-05-08 Last update: 2025-08-10 06:32
2 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit 9e0e88d3d1ec514b853f3b2b770e293965078ccb
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:46:19 2025 +0000

    debian/salsa-ci.yml: use team-specific include

commit f6c65f48e8e3a9fd570a54c6784260ca6e7188c0
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Mon Aug 25 15:49:26 2025 +0000

    debian/gbp.conf: Add for DEP-14
Created: 2025-08-25 Last update: 2025-09-06 07:03
1 open merge request in Salsa normal
There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-08-19 Last update: 2025-08-19 06:28
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2024-04-07 Last update: 2025-07-19 19:31
news
[rss feed]
  • [2025-07-21] ruby-rack 3.1.16-0.1 MIGRATED to testing (Debian testing watch)
  • [2025-07-15] Accepted ruby-rack 3.1.16-0.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
  • [2025-06-13] Accepted ruby-rack 3.1.12-2~exp1 (source) into experimental (Gabriel Lima de Moraes) (signed by: Lucas Kanashiro)
  • [2025-03-27] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2025-03-25] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2025-03-24] Accepted ruby-rack 2.1.4-3+deb11u3 (source) into oldstable-security (Adrian Bunk)
  • [2025-03-24] ruby-rack 3.1.12-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-19] Accepted ruby-rack 3.1.12-1 (source) into unstable (Blair Noctis)
  • [2025-03-07] Accepted ruby-rack 3.1.9-2 (source) into unstable (Utkarsh Gupta)
  • [2025-02-12] ruby-rack 3.0.8-4 MIGRATED to testing (Debian testing watch)
  • [2025-02-11] Accepted ruby-rack 3.1.9-1~exp1 (source) into experimental (Lucas Kanashiro)
  • [2025-02-05] Accepted ruby-rack 3.0.8-4 (source) into unstable (Antonio Terceiro)
  • [2025-02-04] Accepted ruby-rack 3.0.8-3 (source) into unstable (Antonio Terceiro)
  • [2025-01-28] Accepted ruby-rack 3.0.8-2 (source) into unstable (Utkarsh Gupta)
  • [2024-05-25] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-25] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-24] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-24] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-09] ruby-rack 2.2.7-1.1 MIGRATED to testing (Debian testing watch)
  • [2024-05-04] Accepted ruby-rack 2.2.7-1.1 (source) into unstable (Adrian Bunk)
  • [2024-04-29] Accepted ruby-rack 2.0.6-3+deb10u4 (source) into oldoldstable (Adrian Bunk)
  • [2023-10-28] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2023-10-22] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2023-07-13] ruby-rack 2.2.7-1 MIGRATED to testing (Debian testing watch)
  • [2023-07-10] Accepted ruby-rack 2.2.7-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2023-06-26] Accepted ruby-rack 3.0.8-1 (source) into experimental (Lucas Kanashiro)
  • [2023-04-18] Accepted ruby-rack 2.0.6-3+deb10u3 (source) into oldstable (Scarlett Moore) (signed by: Utkarsh Gupta)
  • [2023-03-31] ruby-rack 2.2.6.4-1 MIGRATED to testing (Debian testing watch)
  • [2023-03-25] Accepted ruby-rack 2.2.6.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2023-02-13] ruby-rack 2.2.4-3 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.1.16-0.1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing