Bug 34755 - ruby-rack new security issues CVE-2025-46727, CVE-2025-49007, CVE-2025-59830, CVE-2025-6177[0-2], CVE-2025-61919, CVE-2025-61780
Summary: ruby-rack new security issues CVE-2025-46727, CVE-2025-49007, CVE-2025-59830,...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-11-19 09:56 CET by Nicolas Salguero
Modified: 2025-12-29 22:15 CET (History)
3 users (show)

See Also:
Source RPM: ruby-rack-2.2.13-1.mga9.src.rpm
CVE: CVE-2025-46727, CVE-2025-49007, CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919, CVE-2025-61780
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-11-19 09:56:25 CET 
Reference: https://rack.github.io/rack/3.2/CHANGELOG_md.html
Nicolas Salguero 2025-11-19 09:58:35 CET

CVE: (none) => CVE-2025-46727, CVE-2025-49007, CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919, CVE-2025-61780
Status comment: (none) => Fixed upstream in 3.1.19 and 2.2.21
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => ruby-rack-3.1.12-2.mga10.src.rpm, ruby-rack-2.2.13-1.mga9.src.rpm

Comment 1 Lewis Smith 2025-11-20 21:47:56 CET 
Assigning this to Pascal, who does ersion updates for ruby-rack.

Assignee: bugsquad => pterjan

Comment 2 Nicolas Salguero 2025-12-01 11:11:30 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Unbounded-Parameter DoS in Rack::QueryParser. (CVE-2025-46727)

ReDoS Vulnerability in Rack::Multipart handle_mime_head. (CVE-2025-49007)

Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters. (CVE-2025-59830)

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion). (CVE-2025-61770)

Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion). (CVE-2025-61771)

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion). (CVE-2025-61772)

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing. (CVE-2025-61919)

Rack has Possible Information Disclosure Vulnerability. (CVE-2025-61780)

References:
https://rack.github.io/rack/3.2/CHANGELOG_md.html
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.21-1.mga9
ruby-rack-doc-2.2.21-1.mga9

from SRPM:
ruby-rack-2.2.21-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 3.1.19 and 2.2.21 => (none)
Version: Cauldron => 9
Assignee: pterjan => qa-bugs
Status: NEW => ASSIGNED

Nicolas Salguero 2025-12-01 11:11:35 CET

Source RPM: ruby-rack-3.1.12-2.mga10.src.rpm, ruby-rack-2.2.13-1.mga9.src.rpm => ruby-rack-2.2.13-1.mga9.src.rpm

Comment 3 Herman Viaene 2025-12-01 17:15:11 CET 
I must have cleaned too much after previous test, but then there are things I don't understand it ever worked.
ruby rackapp.rb
[2025-12-01 16:37:09] INFO  WEBrick 1.7.0
[2025-12-01 16:37:09] INFO  ruby 3.1.5 (2024-04-23) [x86_64-linux]
[2025-12-01 16:37:09] INFO  WEBrick::HTTPServer#start: pid=84765 port=8080
127.0.0.1 - - [01/Dec/2025:16:37:47 CET] "GET / HTTP/1.1" 200 21
- -> /
The message "A barebones rack app" appeared at localhost:8080/ in Firefox.
That's OK.
$ ruby function.rb
56
1
{false=>3, true=>2}
That's also OK.
$ ruby rexml_test.rb xlst/cdcatalog.xml >result
rexml_test.rb:5:in `initialize': No such file or directory @ rb_sysopen - /home/<user>/data/tv/Channels.xspf (Errno::ENOENT)
        from rexml_test.rb:5:in `new'
        from rexml_test.rb:5:in `<main>'
Of course /home/<user>/etc... does not exist.
I still have files from xlst testing, but Channels.xspf isn't one of them, and I am at loss where to find it.
I cann't remember either to have edited the rexml_test.rb file.

CC: (none) => herman.viaene

katnatek 2025-12-01 20:20:32 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2025-12-29 01:45:53 CET 
The first two commands gave OK results, and as for the third, the app seemed to do what it should when it didn't find the file/directory. I think we can call that good enough.

Validating.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2025-12-29 22:15:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0334.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.