Monday, June 17, 2024

[USN-6837-1] Rack vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmZwRsgACgkQZWnYVadE
vpOd4RAAjDewIlC+/sJM3aFkumXw2lOOWOrwL4VpCMUI6IMvnd5Ea4ER2ALWlqqr
npdM4R0pE6FFujV+nz/LqFA2uxTJOvb2KxdTrYNawfND55RN37Vwrl9nGU94H2by
ZC+/9ki7XF03c2bNhoepll8zZIAwbRcclrmIxq/YyUZWzPhq1FRcysTrgM0Q+/l7
iSVNR7I1OsqBwDHx4ah4LlZQvOCEXut5x4rLijj16hEkZiLw9LFNnaBfpy8cZMM3
cVAw2qY1s6cEzdb82FzkxiKlo9KpTbK9gTl13FUoIc9yalLQK7sM1pciGuzYjFuU
G76pxIRqXHip0R5i7ly08Cncpu5xJq1w2+mqEFcEhmb0dSNLfRKo0ICn+LlHW9nw
PRSFHQq0knCPXOngZUnSBGHHUxT8KWcKRHNPlgNtNsTjGCc41r8+Y5A7RGyVe+xc
e4RdRnrKzmVDpUM0mWoIEL9nWx8QRieJlTRNdaV0afCYgFyKASF9FPXRtPA6u+VU
is7qOvoQOFlGgNWTZjHnODNKWMzC6E9+3cYnOsjAnya2p/SLWbqiu///k0EwqFBE
0XvdmRuqAakQlAJZ6bzK7XwBoB8A3Eod+aZIxdVM5J0pB74Z7DDQFYw9IRUDW2Cv
GrwjSfrUTSKu73hNGlKoSWBsXvrzFxp+Wx37Ax/sre0AcEpHQuc=
=nPYE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6837-1
June 17, 2024

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly handled Multipart MIME parsing. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
23.10. (CVE-2023-27530)

It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create large
responses, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.1

Ubuntu 23.10
ruby-rack 2.2.4-3ubuntu0.2

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6837-1
CVE-2023-27530, CVE-2024-25126, CVE-2024-26141, CVE-2024-26146

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.4-3ubuntu0.2

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)