SUSE has issued an advisory on April 8: https://lwn.net/Articles/968993/ Those CVEs are fixed in versions 3.0.9.1 (for Cauldron) and 2.2.8.1 (for Mageia 9).
Status comment: (none) => Fixed upstream in 3.0.9.1 and 2.2.8.1Source RPM: (none) => ruby-rack-3.0.9-1.mga10.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-25126, CVE-2024-26141, CVE-2024-26146
Assigning to Pascal who commited 2.2.4 (for 2.2.8, not visible to me), and 3.0.9.
Source RPM: ruby-rack-3.0.9-1.mga10.src.rpm => ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpmAssignee: bugsquad => pterjan
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). (CVE-2024-25126) Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). (CVE-2024-26141) Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. (CVE-2024-26146) References: https://lwn.net/Articles/968993/ ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.2.8.1-1.mga9 ruby-rack-doc-2.2.8.1-1.mga9 from SRPM: ruby-rack-2.2.8.1-1.mga9.src.rpm
Version: Cauldron => 9Status comment: Fixed upstream in 3.0.9.1 and 2.2.8.1 => (none)Assignee: pterjan => qa-bugsWhiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDSource RPM: ruby-rack-3.0.9-1.mga10.src.rpm, ruby-rack-2.2.8-1.mga9.src.rpm => ruby-rack-2.2.8-1.mga9.src.rpm
Keywords: (none) => advisory
Taking this one on. Researching the CVEs just now.
CC: (none) => tarazed25
It seems that there is very little to report regarding the CVEs so it is best just to run the simple tests used in previous bugs such as bug 31739. $ rpm -qa | grep ruby-rack ruby-rack-2.2.8-1.mga9 ruby-rack-doc-2.2.8-1.mga9 ruby-rack-protection-3.0.4-1.mga9 $ ruby logging.rb 2024-04-12 10:40:30 +0100 Thin web server (v1.8.2 codename Ruby Razor) 2024-04-12 10:40:30 +0100 Maximum connections set to 1024 2024-04-12 10:40:30 +0100 Listening on localhost:8080, CTRL+C to stop Checked localhost:8080/ in Firefox. Hello World App took 3 seconds. Updated the two packages using qarepo then drakrpm-update. No problem. $ ruby rackapp.rb [2024-04-12 10:48:26] INFO WEBrick 1.8.1 [2024-04-12 10:48:26] INFO ruby 3.1.4 (2023-03-30) [x86_64-linux] [2024-04-12 10:48:26] INFO WEBrick::HTTPServer#start: pid=1710964 port=8080 127.0.0.1 - - [12/Apr/2024:10:49:29 BST] "GET / HTTP/1.1" 200 21 - -> / localhost:8080/ displayed: A barebones rack app. Basic functionality established. OK for 64-bits.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0123.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED