[From nobody Fri Mar 27 00:49:07 2026 Received: (at 1128480-close) by bugs.debian.org; 27 Mar 2026 00:48:29 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-113.0 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_NONE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 5; hammy, 150; neutral, 226; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from mitropoulos.debian.org ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:59960) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w5vNF-0062B8-17 for 1128480-close@bugs.debian.org; Fri, 27 Mar 2026 00:48:29 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mitropoulos.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w5vND-000tv3-1X for 1128480-close@bugs.debian.org; Fri, 27 Mar 2026 00:48:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=jNmmOd3fb4GxnduEL6bNtNWfbi5Aq5RPD5CCzSEDCe4=; b=R+8tlZXaO94OAiJqnaStu4+mys P2C4U/XpEJBdfHItYZCFH3Nnr3EaFc97fAfS9AgyU+Dt1st6NkKVbQmrqnmT8H5YI8A2o5M5Am308 PPidR8OvBgEo/dUbMsd9hNm55y7+NtwU6TPivhDDF+alBprwGyxjoWFXgl5yt6DyHyboN51rhsMif 6+ROU7egikjuUPlu2br2/uly003jkhTxKJ2+Vkor5IKSnA2gr+Gjhb/dEp+hk8XrTuqgEbp0Sje8I lOoiSS/jwvpKnf7I3i6JAmKg9HLE6YLHNaBFz4Djk9KqAvW2J9O9g7/lC+gIrEWMq01ojGKbjXrxF Gblt12Pg==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1w5vNC-00000008Dof-1HIB; Fri, 27 Mar 2026 00:48:26 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Utkarsh Gupta <utkarsh@debian.org> To: 1128480-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: ruby-rack Debian: DAK Debian-Changes: ruby-rack_2.2.22-0+deb12u1_source.changes Debian-Source: ruby-rack Debian-Version: 2.2.22-0+deb12u1 Debian-Architecture: source Debian-Suite: oldstable-proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1128480: fixed in ruby-rack 2.2.22-0+deb12u1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============1333580659664083427==" Message-Id: <E1w5vNC-00000008Dof-1HIB@fasolo.debian.org> Date: Fri, 27 Mar 2026 00:48:26 +0000 X-CrossAssassin-Score: 2 --===============1333580659664083427== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: ruby-rack Source-Version: 2.2.22-0+deb12u1 Done: Utkarsh Gupta <utkarsh@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1128480@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utkarsh@debian.org> (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Mar 2026 17:34:17 +0530 Source: ruby-rack Built-For-Profiles: noudeb Architecture: source Version: 2.2.22-0+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian= .org> Changed-By: Utkarsh Gupta <utkarsh@debian.org> Closes: 1128479 1128480 Changes: ruby-rack (2.2.22-0+deb12u1) bookworm-security; urgency=3Dhigh . * New upstream version 2.2.22. - CVE-2026-25500: XSS injection via malicious filename in `Rack::Directory`. (Closes: #1128480) - CVE-2026-22860: Directory traversal via root prefix bypass in `Rack::Directory`. (Closes: #1128479) Checksums-Sha1: b9c837277ec92c478b9556556b6774c175bc134e 2404 ruby-rack_2.2.22-0+deb12u1.dsc 3d097549d3a0b547e75e0bead499b87ba2222979 287630 ruby-rack_2.2.22.orig.tar.gz 027ce8467a681308e641c5081509e1f0401c22c2 9856 ruby-rack_2.2.22-0+deb12u1.deb= ian.tar.xz 7650c88402147f06aa595729b38a1c9fc555e4a3 15943 ruby-rack_2.2.22-0+deb12u1_so= urce.buildinfo Checksums-Sha256: 5b20b6a4d82b3c13b4d526eb661db33768fcdc16a0eb727e47fa2266bc0b0891 2404 ruby-r= ack_2.2.22-0+deb12u1.dsc 477526d532b066cca6457c39b380bb68dfbe0f9cbdb2e470b944c839d2016220 287630 ruby= -rack_2.2.22.orig.tar.gz b680e1ac4dbdae958877b968fe5e96e160f954d82723e57a2b86de5df200dd57 9856 ruby-r= ack_2.2.22-0+deb12u1.debian.tar.xz d45e07964bb199b6bea1ac3391aa6cb6db7e76515dcc13293a45ef5f530dc177 15943 ruby-= rack_2.2.22-0+deb12u1_source.buildinfo Files: 263f525798eac244ce2ab39ce16cb543 2404 ruby optional ruby-rack_2.2.22-0+deb12= u1.dsc a9dd8c6f5c96dbc132cda7d100ff3bf0 287630 ruby optional ruby-rack_2.2.22.orig.= tar.gz 51d4303ccd4ade9bf436d426c61b564e 9856 ruby optional ruby-rack_2.2.22-0+deb12= u1.debian.tar.xz 7bc467290db55f6d93c57bce2fff49c6 15943 ruby optional ruby-rack_2.2.22-0+deb1= 2u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmm9YUwTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlnhtEADYNj7+crs3C2NCpuegbBEX9MomMbyB m2Qk7BZooLNdJ7qOwixqXCNGTO2gzWkoIUGVdxyjars+pDsd8Ra87902QlWSEHDu LQ512t3KpjP0408J453SzUZfB8l8YfHEpdnHyAsC/HMs3pWs3vEYUlxmItkl8PIe +gK0AEKrT3Oj+ir+dr3OMvzDWSvJhShO9taBOhW6/jU/aqIzoQTTjA14Rk70yd3U TmH7bImnUk+3V4+dRP+P8hQ4BsDsFWRpycg6wQD0Vu4cwXhDt05gQmFZ/Dh7b/HC WjJdKXBH6lQQjdu5SGc9fVhcOV7qOYsOObDPOFpKQANXCweSfvxJcbI7634wSra6 1eMOSJBabayH/uiYxr0c5MQxCsrgvUUU0HIiyurTdSMEsdh8hEB3zXDaSzgGMYuO 2Ua8cvc2IoF5usWEXhre2tlulL1hsxyeBO9FcLQjQYHEcyo2/KMc9MqEVM5XqIep 8ddE/xtI3Pw8qu0x4bq9CU7kAyWBK09ywmf4ws0aFNw13pkEdP4apWcC3yDFP74e JpYyiqkZYbYycwfcKoNPQ9Nt9PtWoCzfBr1dyRoEoKpm0RLBqCy5yJkZKN6tESoN otUPFlcYIE7x9I+lUDWec6iesEmJsCXekKVxVeu0bl56YDgisSEcA9UaahFC8QVQ 7bd6xFDVmbTpcA=3D=3D =3DZKOM -----END PGP SIGNATURE----- --===============1333580659664083427== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCacXT2gAKCRCb9qggYcy5 IQpSAQCvH8Rx6Fj4NboYFf3cFC8Cka6f/Obx9RcWT2diRhfxxAD/eFfOycts/Zhm 55d5QQPmH/Ihy5grUHbVapN5yzb4gAU= =jxsv -----END PGP SIGNATURE----- --===============1333580659664083427==-- ]