Bug 33075

Summary: ruby-rack new security issues CVE-2024-25126, CVE-2024-26141 and CVE-2024-26146
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: ruby-rack-2.2.8-1.mga9.src.rpm CVE: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146
Status comment:

Description Nicolas Salguero 2024-04-09 10:45:04 CEST 
SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968993/

Those CVEs are fixed in versions 3.0.9.1 (for Cauldron) and 2.2.8.1 (for Mageia 9).
Nicolas Salguero 2024-04-09 10:45:38 CEST

Status comment: (none) => Fixed upstream in 3.0.9.1 and 2.2.8.1
Source RPM: (none) => ruby-rack-3.0.9-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-25126, CVE-2024-26141, CVE-2024-26146

Comment 1 Lewis Smith 2024-04-09 21:59:18 CEST 
Assigning to Pascal who commited 2.2.4  (for 2.2.8, not visible to me), and 3.0.9.

Source RPM: ruby-rack-3.0.9-1.mga10.src.rpm => ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpm
Assignee: bugsquad => pterjan

Comment 2 Nicolas Salguero 2024-04-11 15:31:15 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). (CVE-2024-25126)

Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). (CVE-2024-26141)

Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. (CVE-2024-26146)

References:
https://lwn.net/Articles/968993/
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.8.1-1.mga9
ruby-rack-doc-2.2.8.1-1.mga9

from SRPM:
ruby-rack-2.2.8.1-1.mga9.src.rpm

Version: Cauldron => 9
Status comment: Fixed upstream in 3.0.9.1 and 2.2.8.1 => (none)
Assignee: pterjan => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpm => ruby-rack-2.2.8-1.mga9.src.rpm

katnatek 2024-04-12 00:56:10 CEST

Keywords: (none) => advisory

Comment 3 Len Lawrence 2024-04-12 08:17:28 CEST 
Taking this one on.  Researching the CVEs just now.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2024-04-12 11:54:05 CEST 
It seems that there is very little to report regarding the CVEs so it is best just to run the simple tests used in previous bugs such as bug 31739.

$ rpm -qa | grep ruby-rack
ruby-rack-2.2.8-1.mga9
ruby-rack-doc-2.2.8-1.mga9
ruby-rack-protection-3.0.4-1.mga9

$ ruby logging.rb
2024-04-12 10:40:30 +0100 Thin web server (v1.8.2 codename Ruby Razor)
2024-04-12 10:40:30 +0100 Maximum connections set to 1024
2024-04-12 10:40:30 +0100 Listening on localhost:8080, CTRL+C to stop

Checked localhost:8080/ in Firefox.
Hello World
App took 3 seconds.

Updated the two packages using qarepo then drakrpm-update.  No problem.
$ ruby rackapp.rb
[2024-04-12 10:48:26] INFO  WEBrick 1.8.1
[2024-04-12 10:48:26] INFO  ruby 3.1.4 (2023-03-30) [x86_64-linux]
[2024-04-12 10:48:26] INFO  WEBrick::HTTPServer#start: pid=1710964 port=8080
127.0.0.1 - - [12/Apr/2024:10:49:29 BST] "GET / HTTP/1.1" 200 21
- -> /

localhost:8080/ displayed:
A barebones rack app.

Basic functionality established.  OK for 64-bits.

Whiteboard: (none) => MGA9-64-OK

Comment 5 Len Lawrence 2024-04-12 11:55:07 CEST 
It seems that there is very little to report regarding the CVEs so it is best just to run the simple tests used in previous bugs such as bug 31739.

$ rpm -qa | grep ruby-rack
ruby-rack-2.2.8-1.mga9
ruby-rack-doc-2.2.8-1.mga9
ruby-rack-protection-3.0.4-1.mga9

$ ruby logging.rb
2024-04-12 10:40:30 +0100 Thin web server (v1.8.2 codename Ruby Razor)
2024-04-12 10:40:30 +0100 Maximum connections set to 1024
2024-04-12 10:40:30 +0100 Listening on localhost:8080, CTRL+C to stop

Checked localhost:8080/ in Firefox.
Hello World
App took 3 seconds.

Updated the two packages using qarepo then drakrpm-update.  No problem.
$ ruby rackapp.rb
[2024-04-12 10:48:26] INFO  WEBrick 1.8.1
[2024-04-12 10:48:26] INFO  ruby 3.1.4 (2023-03-30) [x86_64-linux]
[2024-04-12 10:48:26] INFO  WEBrick::HTTPServer#start: pid=1710964 port=8080
127.0.0.1 - - [12/Apr/2024:10:49:29 BST] "GET / HTTP/1.1" 200 21
- -> /

localhost:8080/ displayed:
A barebones rack app.

Basic functionality established.  OK for 64-bits.
Comment 6 Thomas Andrews 2024-04-12 14:24:16 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2024-04-12 22:46:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0123.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED