Register | Log in

ruby-rack

modular Ruby webserver interface

Choose email to subscribe with

general

source: ruby-rack (main)
version: 3.1.12-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Lucas Nussbaum [DMD] – Paul van Tilburg [DMD] – Utkarsh Gupta [DMD] – Chris Lamb [DMD] – Lucas Kanashiro [DMD] – Youhei SASAKI [DMD] [DM]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.0.6-3
o-o-sec: 2.0.6-3+deb10u4
oldstable: 2.1.4-3+deb11u2
old-sec: 2.1.4-3+deb11u3
stable: 2.2.13-1~deb12u1
stable-sec: 2.2.13-1~deb12u1
testing: 3.1.12-1
unstable: 3.1.12-1
exp: 3.1.12-2~exp1

versioned links

2.0.6-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.6-3+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.4-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.4-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.13-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12-2~exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-rack

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:01:02
Last run: 2025-06-11T06:04:01.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:00:42
Last run: 2025-06-20T04:06:17.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:00:41
Last run: 2025-03-25T00:16:36.000Z
Previous status: unknown

Created: 2025-04-16 Last update: 2025-06-22 08:00

A new upstream version is available: 3.1.16 high

A new upstream version 3.1.16 is available, you should consider packaging it.

Created: 2025-04-16 Last update: 2025-06-22 04:01

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-06-13 Last update: 2025-06-18 22:36

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
CVE-2025-49007: Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Created: 2025-05-08 Last update: 2025-06-06 17:00

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
CVE-2025-49007: Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Created: 2025-05-08 Last update: 2025-06-06 17:00

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2025-32441: Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

Created: 2025-05-08 Last update: 2025-06-06 17:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2024-04-07 Last update: 2025-03-19 22:57

news

[2025-06-13] Accepted ruby-rack 3.1.12-2~exp1 (source) into experimental (Gabriel Lima de Moraes) (signed by: Lucas Kanashiro)
[2025-03-27] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-25] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-24] Accepted ruby-rack 2.1.4-3+deb11u3 (source) into oldstable-security (Adrian Bunk)
[2025-03-24] ruby-rack 3.1.12-1 MIGRATED to testing (Debian testing watch)
[2025-03-19] Accepted ruby-rack 3.1.12-1 (source) into unstable (Blair Noctis)
[2025-03-07] Accepted ruby-rack 3.1.9-2 (source) into unstable (Utkarsh Gupta)
[2025-02-12] ruby-rack 3.0.8-4 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted ruby-rack 3.1.9-1~exp1 (source) into experimental (Lucas Kanashiro)
[2025-02-05] Accepted ruby-rack 3.0.8-4 (source) into unstable (Antonio Terceiro)
[2025-02-04] Accepted ruby-rack 3.0.8-3 (source) into unstable (Antonio Terceiro)
[2025-01-28] Accepted ruby-rack 3.0.8-2 (source) into unstable (Utkarsh Gupta)
[2024-05-25] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-25] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-24] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-05-09] ruby-rack 2.2.7-1.1 MIGRATED to testing (Debian testing watch)
[2024-05-04] Accepted ruby-rack 2.2.7-1.1 (source) into unstable (Adrian Bunk)
[2024-04-29] Accepted ruby-rack 2.0.6-3+deb10u4 (source) into oldoldstable (Adrian Bunk)
[2023-10-28] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2023-10-22] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2023-07-13] ruby-rack 2.2.7-1 MIGRATED to testing (Debian testing watch)
[2023-07-10] Accepted ruby-rack 2.2.7-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-06-26] Accepted ruby-rack 3.0.8-1 (source) into experimental (Lucas Kanashiro)
[2023-04-18] Accepted ruby-rack 2.0.6-3+deb10u3 (source) into oldstable (Scarlett Moore) (signed by: Utkarsh Gupta)
[2023-03-31] ruby-rack 2.2.6.4-1 MIGRATED to testing (Debian testing watch)
[2023-03-25] Accepted ruby-rack 2.2.6.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-02-13] ruby-rack 2.2.4-3 MIGRATED to testing (Debian testing watch)
[2023-02-10] Accepted ruby-rack 2.2.4-3 (source) into unstable (Sruthi Chandran)
[2023-01-30] Accepted ruby-rack 2.0.6-3+deb10u2 (source) into oldstable (Utkarsh Gupta)

1
2

bugs [bug history graph]

all: 3
RC: 1
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, exp, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.2.7-1.1
1 bug

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing