Debian-LTS has issued an advisory on January 31: https://www.debian.org/lts/security/2023/dla-3298 The issues are fixed upstream in 2.2.6.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.2.6.2
Assigning to all packagers collectively, because there is no registered maintainer for this package. CC'ing pterjan, who was the last one to push it.
CC: (none) => marja11, pterjanAssignee: bugsquad => pkg-bugs
SUSE has issued an advisory for this on February 6: https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html openSUSE equivalent advisory from today (February 7): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/
Ubuntu has issued an advisory for this today (March 2): https://ubuntu.com/security/notices/USN-5910-1
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. (CVE-2022-44570) There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571) A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. (CVE-2022-44572) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572 https://www.debian.org/lts/security/2023/dla-3298 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/ https://ubuntu.com/security/notices/USN-5910-1 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.2.3.1-1.1.mga8 ruby-rack-doc-2.2.3.1-1.1.mga8 from SRPM: ruby-rack-2.2.3.1-1.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Source RPM: ruby-rack-2.2.4-1.mga9.src.rpm => ruby-rack-2.2.3.1-1.mga8.src.rpmStatus comment: Fixed upstream in 2.2.6.2 => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDVersion: Cauldron => 8
SUSE has issued an advisory on March 14: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html The issue is fixed upstream in 2.2.6.3. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOVersion: 8 => CauldronSummary: ruby-rack new security issues CVE-2022-4457[0-2] => ruby-rack new security issues CVE-2022-4457[0-2] and CVE-2023-27530Assignee: qa-bugs => pterjanStatus comment: (none) => Fixed upstream in 2.2.6.3
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. (CVE-2022-44570) There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571) A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. (CVE-2022-44572) A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. (CVE-2023-27530) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530 https://www.debian.org/lts/security/2023/dla-3298 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/ https://ubuntu.com/security/notices/USN-5910-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.2.3.1-1.2.mga8 ruby-rack-doc-2.2.3.1-1.2.mga8 from SRPM: ruby-rack-2.2.3.1-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: pterjan => qa-bugsStatus comment: Fixed upstream in 2.2.6.3 => (none)
Mageia8, x86_64 Core packages already installed. $ sudo gem install thin Ran some basic tests as on other rack bugs. Detached thin web server worked. Updated the two packages. Restarted the thin server.edit config.rb $ ruby hello.rb & [1] 1093061 $ 2023-03-19 21:04:58 +0000 Thin web server (v1.8.1 codename Infinite Smoothie) 2023-03-19 21:04:58 +0000 Maximum connections set to 1024 2023-03-19 21:04:58 +0000 Listening on localhost:8080, CTRL+C to stop "Hello world" at localhost:8080/ in a browser. Used Pascal's test from bug 23813. It crashed when run as a .rb script, presumably because the interpreter got in first and reported the run method missing. $ cat test.ru run ->(env){ ['200', {'Content-Type' => 'text/html'}, ["get rack\'d\n"]] } $ rackup test.ru & [1] 1098897 $ 2023-03-19 21:34:52 +0000 Thin web server (v1.8.1 codename Infinite Smoothie) 2023-03-19 21:34:52 +0000 Maximum connections set to 1024 2023-03-19 21:34:52 +0000 Listening on localhost:9292, CTRL+C to stop 127.0.0.1 - - [19/Mar/2023:21:34:57 +0000] "GET / HTTP/1.1" 200 11 0.0019 fg rackup test.ru ^C2023-03-19 21:35:19 +0000 Stopping ... The message "get rack'd" appeared at localhost:9292/ If rack is invoked within the script it can be run as a standard ruby file. $ cat rackapp.rb require 'rack' app = ->( env ){ ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']] } Rack::Handler::WEBrick.run app -------------------------------------------------------------------------- $ ruby rackapp.rb [2023-03-19 21:52:46] INFO WEBrick 1.6.1 [2023-03-19 21:52:46] INFO ruby 2.7.7 (2022-11-24) [x86_64-linux] [2023-03-19 21:52:46] INFO WEBrick::HTTPServer#start: pid=1102247 port=8080 "A barebones rack app." at localhost:8080/ PoC test from bug 26952: $ ruby -r rack -e 'p Rack::Utils.parse_cookies(Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar"))' {"%66oo"=>"baz", "foo"=>"bar"} $ urpmq --whatrequires ruby-rack | sort -u ruby-rack ruby-rack-doc ruby-rack-protection ruby-rack-test ruby-sinatra sinatra is too complicated for this tester so this should pass on the basis of these few simple tests.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0106.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED