Ubuntu has issued an advisory on March 24: https://ubuntu.com/security/notices/USN-7366-1
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Patches available from UbuntuCVE: (none) => CVE-2025-25184, CVE-2025-27111, CVE-2025-27610Source RPM: (none) => ruby-rack-3.1.12-1.mga10.src.rpm, ruby-rack-2.2.8.1-1.mga9.src.rpm
Patch for CVE-2025-25184 ? https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e CVE-2025-27111 has 3 github commits: https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53 https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3 CVE-2025-27610: I think this is the patch: https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583 Assigning to Pascal who does the version updates for ruby-rack; but ns80 seems to apply CVE patches - already CC'd as bug originator. So re-assign if you prefer, Pascal.
Assignee: bugsquad => pterjan
CVE-2025-25184 is fixed in 2.2.11 and 3.1.10 CVE-2025-27111 is fixed in 2.2.12 and 3.1.11 CVE-2025-27610 is fixed in 2.2.13 and 3.1.12 Cauldron has 3.1.12 so already has all the fixes We should update 9 to 2.2.13
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: ruby-rack-3.1.12-1.mga10.src.rpm, ruby-rack-2.2.8.1-1.mga9.src.rpm => ruby-rack-2.2.8.1-1.mga9.src.rpm
ruby-rack-2.2.13-1.mga9 is in 9/core/updates_testing ruby-rack-2.2.13-1.mga9.src.rpm ruby-rack-2.2.13-1.mga9.noarch.rpm ruby-rack-doc-2.2.13-1.mga9.noarch.rpm
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Possible Log Injection in Rack::CommonLogger. (CVE-2025-25184) Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection. (CVE-2025-27111) Local File Inclusion in Rack::Static. (CVE-2025-27610) References: https://ubuntu.com/security/notices/USN-7366-1 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.2.13-1.mga9 ruby-rack-doc-2.2.13-1.mga9 from SRPM: ruby-rack-2.2.13-1.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: pterjan => qa-bugsStatus comment: Patches available from Ubuntu => (none)
MGA9-64 server Plasma Wayland on Compaq H000SB. Installed new version of ruby from bug 34179 in one go, no issues on installation. Test from bug 31739 fails with: $ ruby logging.rb Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1 <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- thin (LoadError) from <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require' from logging.rb:8:in `<main>' Run as root, as normal user has no write privileges on /usr/share/gems directory # gem pristine bigdecimal --version 3.1.1 Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1 Restoring gems to pristine condition... Building native extensions. This could take a while... Restored bigdecimal-3.1.1 But still same error on test command Tried other test from bug 31739, bur run into exactly same problem.
CC: (none) => herman.viaene
I think you need ruby update from bug 34179, too.
That's what I did, see my second line. Rummaged around in previous updates and found this: # gem uninstall -i /usr/share/gems bigdecimal Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1 Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1 Successfully uninstalled bigdecimal-3.1.1 # gem pristine bigdecimal --version 3.1.1 Restoring gems to pristine condition... Building native extensions. This could take a while... Restored bigdecimal-3.1.1 Then after installing ruby-webrick, I could $ ruby rackapp.rb [2025-11-13 11:27:11] INFO WEBrick 1.7.0 [2025-11-13 11:27:11] INFO ruby 3.1.5 (2024-04-23) [x86_64-linux] [2025-11-13 11:27:11] INFO WEBrick::HTTPServer#start: pid=160872 port=8080 127.0.0.1 - - [13/Nov/2025:11:28:10 CET] "GET / HTTP/1.1" 200 21 - -> / and point to localhost:8080 and get the screen "A barebones rack app". So that is OK, but $ ruby logging.rb <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- thin (LoadError) from <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require' from logging.rb:8:in `<main>' But my ignorance is too big to understand this.
Keywords: (none) => advisory
OK Herman. Shall take a look at this tomorrow. 'thin' rings a bell; might be a gem, thin server? Anyway, later.
CC: (none) => tarazed25
Created attachment 15174 [details] Modified test file, which fails latest test.
Made no progress with this. The environment may have changed a little. Modified the comments in the logging.rb file. These are the relevant bits: require "/usr/share/gems/gems/rack-2.2.13/lib/rack" require "/usr/share/gems/gems/rack-2.2.13/lib/rack/handler/thin" #require "/usr/share/gems/gems/rack-2.2.13/lib/rack/thin/logging" require "/usr/share/gems/gems/rack-2.2.13/lib/rack/logger" #require "/usr/share/gems/gems/rack-2.2.13/lib/rack/thin/backends/tcp_server" # yields 'no such file' # and the only other one located is version 2.0.1 # $ locate tcp_server.rb # /usr/local/share/gems/gems/thin-2.0.1/lib/thin/backends/tcp_server.rb # /usr/share/gems/gems/rbs-2.7.0/stdlib/socket/0/tcp_server.rbs # /usr/local/share/gems/gems/thin-2.0.1/lib/thin/backends/tcp_server.rb $ ruby logging.rb Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1 /usr/share/gems/gems/rack-2.2.13/lib/rack/handler/thin.rb:19:in `run': "2.0.1" is not a class/module (TypeError) from logging.rb:38:in `<main>'
If Herman & Len agree we must validate this, at less one test example works to Herman and looks the login example test was problematic before
OK, the rack server example works fine as you say. The other one may come back at some point as a separate bug. Let's send it on. So, over to you Herman.
I go with your conclusions.
Whiteboard: (none) => MGA9-64-OK
Thank you, gentlemen. Your expertise and experience are invaluable. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0311.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Thanks everyone for digging into this. I’ve been following the thread and it’s good to see that the core update was validated in the end and pushed to updates. The testing discussion around the logging example vs the rack server example was helpful to understand what actually regressed and what didn’t. Looks like the remaining thin-related issues are more about the test setup/environment than the security fixes themselves, so handling that separately makes sense. https://bitlife-simulator.io
CC: (none) => stilleveba
CC: stilleveba => (none)