Debian Package Tracker
Register | Log in
Subscribe

ruby-rack

modular Ruby webserver interface

Choose email to subscribe with

general
  • source: ruby-rack (main)
  • version: 3.1.12-1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Lucas Nussbaum [DMD] – Paul van Tilburg [DMD] – Utkarsh Gupta [DMD] – Chris Lamb [DMD] – Lucas Kanashiro [DMD] – Youhei SASAKI [DMD] [DM]
  • arch: all
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.0.6-3
  • o-o-sec: 2.0.6-3+deb10u4
  • oldstable: 2.1.4-3+deb11u2
  • old-sec: 2.1.4-3+deb11u3
  • stable: 2.2.13-1~deb12u1
  • stable-sec: 2.2.13-1~deb12u1
  • testing: 3.1.12-1
  • unstable: 3.1.12-1
versioned links
  • 2.0.6-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.0.6-3+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.1.4-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.1.4-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.13-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.1.12-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-rack
action needed
Debci reports failed tests high
  • unstable: fail (log)
    The tests ran in 0:01:02
    Last run: 2025-06-11T06:04:01.000Z
    Previous status: unknown

  • testing: fail (log)
    The tests ran in 0:00:43
    Last run: 2025-06-08T18:05:20.000Z
    Previous status: unknown

  • stable: pass (log)
    The tests ran in 0:00:41
    Last run: 2025-03-25T00:16:36.000Z
    Previous status: unknown

Created: 2025-04-16 Last update: 2025-06-13 17:03
A new upstream version is available: 3.1.16 high
A new upstream version 3.1.16 is available, you should consider packaging it.
Created: 2025-04-16 Last update: 2025-06-13 13:30
2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:
  • CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
  • CVE-2025-49007: Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.
Created: 2025-05-08 Last update: 2025-06-06 17:00
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
  • CVE-2025-49007: Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.
Created: 2025-05-08 Last update: 2025-06-06 17:00
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2025-32441: Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
  • CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
Created: 2025-05-08 Last update: 2025-06-06 17:00
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2024-04-07 Last update: 2025-03-19 22:57
news
[rss feed]
  • [2025-03-27] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2025-03-25] Accepted ruby-rack 2.2.13-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2025-03-24] Accepted ruby-rack 2.1.4-3+deb11u3 (source) into oldstable-security (Adrian Bunk)
  • [2025-03-24] ruby-rack 3.1.12-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-19] Accepted ruby-rack 3.1.12-1 (source) into unstable (Blair Noctis)
  • [2025-03-07] Accepted ruby-rack 3.1.9-2 (source) into unstable (Utkarsh Gupta)
  • [2025-02-12] ruby-rack 3.0.8-4 MIGRATED to testing (Debian testing watch)
  • [2025-02-11] Accepted ruby-rack 3.1.9-1~exp1 (source) into experimental (Lucas Kanashiro)
  • [2025-02-05] Accepted ruby-rack 3.0.8-4 (source) into unstable (Antonio Terceiro)
  • [2025-02-04] Accepted ruby-rack 3.0.8-3 (source) into unstable (Antonio Terceiro)
  • [2025-01-28] Accepted ruby-rack 3.0.8-2 (source) into unstable (Utkarsh Gupta)
  • [2024-05-25] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-25] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-24] Accepted ruby-rack 2.2.6.4-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-24] Accepted ruby-rack 2.1.4-3+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-05-09] ruby-rack 2.2.7-1.1 MIGRATED to testing (Debian testing watch)
  • [2024-05-04] Accepted ruby-rack 2.2.7-1.1 (source) into unstable (Adrian Bunk)
  • [2024-04-29] Accepted ruby-rack 2.0.6-3+deb10u4 (source) into oldoldstable (Adrian Bunk)
  • [2023-10-28] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2023-10-22] Accepted ruby-rack 2.1.4-3+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2023-07-13] ruby-rack 2.2.7-1 MIGRATED to testing (Debian testing watch)
  • [2023-07-10] Accepted ruby-rack 2.2.7-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2023-06-26] Accepted ruby-rack 3.0.8-1 (source) into experimental (Lucas Kanashiro)
  • [2023-04-18] Accepted ruby-rack 2.0.6-3+deb10u3 (source) into oldstable (Scarlett Moore) (signed by: Utkarsh Gupta)
  • [2023-03-31] ruby-rack 2.2.6.4-1 MIGRATED to testing (Debian testing watch)
  • [2023-03-25] Accepted ruby-rack 2.2.6.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2023-02-13] ruby-rack 2.2.4-3 MIGRATED to testing (Debian testing watch)
  • [2023-02-10] Accepted ruby-rack 2.2.4-3 (source) into unstable (Sruthi Chandran)
  • [2023-01-30] Accepted ruby-rack 2.0.6-3+deb10u2 (source) into oldstable (Utkarsh Gupta)
  • [2022-11-09] Accepted ruby-rack 3.0.0-1 (source) into experimental (Lucas Kanashiro)
  • 1
  • 2
bugs [bug history graph]
  • all: 3
  • RC: 1
  • I&N: 2
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.2.7-1.1
  • 1 bug

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing