Bug 35285 - ruby-rack new security issues CVE-2026-22860, CVE-2026-25500
Summary: ruby-rack new security issues CVE-2026-22860, CVE-2026-25500
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-27 15:26 CET by Nicolas Salguero
Modified: 2026-04-01 01:07 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-rack-2.2.21-1.mga9.src.rpm
CVE: CVE-2026-22860, CVE-2026-25500
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-27 15:26:36 CET 
Debian has issued an advisory on March 26:
https://lists.debian.org/debian-security-announce/2026/msg00089.html
Nicolas Salguero 2026-03-27 15:27:30 CET

CVE: (none) => CVE-2026-22860, CVE-2026-25500
Status comment: (none) => Fixed upstream in 3.1.20 and 2.2.22
Source RPM: (none) => ruby-rack-3.1.19-1.mga10.src.rpm, ruby-rack-2.2.21-1.mga9.src.rpm
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-03-27 15:40:28 CET 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Rack has a Directory Traversal via Rack:Directory. (CVE-2026-22860)

Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href. (CVE-2026-25500)

References:
https://lists.debian.org/debian-security-announce/2026/msg00089.html
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.2.22-1.mga9
ruby-rack-doc-2.2.22-1.mga9

from SRPM:
ruby-rack-2.2.22-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Source RPM: ruby-rack-3.1.19-1.mga10.src.rpm, ruby-rack-2.2.21-1.mga9.src.rpm => ruby-rack-2.2.21-1.mga9.src.rpm
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 3.1.20 and 2.2.22 => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Flags: affects_mga9+ => (none)

katnatek 2026-03-28 04:06:10 CET

Keywords: (none) => advisory

Comment 2 Herman Viaene 2026-03-28 15:29:11 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34755
$ ruby rackapp.rb
[2026-03-28 15:20:50] INFO  WEBrick 1.7.0
[2026-03-28 15:20:50] INFO  ruby 3.1.5 (2024-04-23) [x86_64-linux]
[2026-03-28 15:20:50] INFO  WEBrick::HTTPServer#start: pid=76970 port=8080
127.0.0.1 - - [28/Mar/2026:15:24:56 CET] "GET / HTTP/1.1" 200 21
- -> /
The message "A barebones rack app" appeared at localhost:8080/ in Firefox.
$ ruby function.rb
56
1
{false=>3, true=>2}
Should be good enough.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 3 Thomas Andrews 2026-03-31 18:24:45 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2026-04-01 01:07:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0075.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.