[From nobody Fri Apr 3 21:33:13 2026 Received: (at 1128480-close) by bugs.debian.org; 3 Apr 2026 20:32:07 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 83; hammy, 150; neutral, 147; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:41940) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w8lBX-00B2an-2R for 1128480-close@bugs.debian.org; Fri, 03 Apr 2026 20:32:07 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w8lBX-009xGq-0A for 1128480-close@bugs.debian.org; Fri, 03 Apr 2026 20:32:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=W+3swzNlZVxRIS1daSfolfNyViMtseKS2OG0DTtsBeQ=; b=Cj9U2ZhXSevaR+/4YmbdGAlBB6 bG8fCVTW3159wi/SJu521muToJHJ7EGm1Po7x0mXAZFPJ9Ew6OxOLoOrLnU2HAoaGWG65j87GUejp KzBPhr4pKGV1E2c7o7QxixL6UYRFhSlNw5pr3ATOcrbGShPEo1KO6rnbosPMPNy5Pxy3VmwV/zxyh TsJFg+uNhS89qLywEdnsAganUXTMyN1q5dCp7T6y6tfUjv92KakyKs+AvwqdPcHlwK+1ehPCdBtyV QI6KmupZo3gt8abZ/aka6gnnInfw5hOTaP259OZP9zEh1CN9aRf8JEE6C9UBFE260CpZ3ZYCoVwav olductCA==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1w8lBV-00000006UPf-3mKT; Fri, 03 Apr 2026 20:32:05 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Utkarsh Gupta <utkarsh@debian.org> To: 1128480-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: ruby-rack Debian: DAK Debian-Changes: ruby-rack_3.1.20-0+deb13u1_source.changes Debian-Source: ruby-rack Debian-Version: 3.1.20-0+deb13u1 Debian-Architecture: source Debian-Suite: proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1128480: fixed in ruby-rack 3.1.20-0+deb13u1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============8366801672570363689==" Message-Id: <E1w8lBV-00000006UPf-3mKT@fasolo.debian.org> Date: Fri, 03 Apr 2026 20:32:05 +0000 X-CrossAssassin-Score: 2 --===============8366801672570363689== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: ruby-rack Source-Version: 3.1.20-0+deb13u1 Done: Utkarsh Gupta <utkarsh@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1128480@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utkarsh@debian.org> (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Mar 2026 09:44:22 +0530 Source: ruby-rack Built-For-Profiles: noudeb Architecture: source Version: 3.1.20-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian= .org> Changed-By: Utkarsh Gupta <utkarsh@debian.org> Closes: 1128479 1128480 Changes: ruby-rack (3.1.20-0+deb13u1) trixie-security; urgency=3Dhigh . * New upstream version 3.1.20. - CVE-2026-25500: XSS injection via malicious filename in `Rack::Directory`. (Closes: #1128480) - CVE-2026-22860: Directory traversal via root prefix bypass in `Rack::Directory`. (Closes: #1128479) Checksums-Sha1: 865b1adf6fb692d66d9c7e05c8032ef9b3842c4e 2392 ruby-rack_3.1.20-0+deb13u1.dsc 65bee2af59b08e4188e98ce097b4931dc4d17619 798434 ruby-rack_3.1.20.orig.tar.gz 7b6745c0db822442890bfeb98732bfebcbb3a4e4 7900 ruby-rack_3.1.20-0+deb13u1.deb= ian.tar.xz 743c494144207c66b711998d15ea5186bbcf7d12 15907 ruby-rack_3.1.20-0+deb13u1_so= urce.buildinfo Checksums-Sha256: 53d522076e02b0c7ef741926ca1ac0588ee5b4a8e8a3e9fb30d136d84ac0d775 2392 ruby-r= ack_3.1.20-0+deb13u1.dsc 6980815e884ba550b5d59a2feaa0a0d283813ae0a695bf35dde4a6242d418805 798434 ruby= -rack_3.1.20.orig.tar.gz c841a32c7f15b891047f507f5174994441201a8e1cbc14290623092babb49a27 7900 ruby-r= ack_3.1.20-0+deb13u1.debian.tar.xz 7b17e77969fbbf1b0221ec9eb5855e9e1fafb52f670581036e7ca72250a3b2fc 15907 ruby-= rack_3.1.20-0+deb13u1_source.buildinfo Files: 133f081b163f10ad7676715dadef92c4 2392 ruby optional ruby-rack_3.1.20-0+deb13= u1.dsc c8f9aff604cefa4d204480294b03a3b6 798434 ruby optional ruby-rack_3.1.20.orig.= tar.gz 377df216437a733dca0a793f08a81099 7900 ruby optional ruby-rack_3.1.20-0+deb13= u1.debian.tar.xz 4226b3c780cb8b429c6d5cca23bbfe6d 15907 ruby optional ruby-rack_3.1.20-0+deb1= 3u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmnDDagTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlt8LEAClnufXzYXRh8vDEW1PfUA2BsKTx1fp dT4JJI+ukspwc1bJyiA4URMvJqaG2V4LIyhizftNaENNvq4emSV72Y3dQiL35vBb YpF2+7qnHkrqyUAu+6HsFWIPnIX2vdNKZxw6Estu4mGLNKhrM6ZI97OeuUWir1NC G/4i4bllc+n1Sf0o2NU5Bm0n2aXG5ZSWhNGsozuiMlScue86ZSSls8aK4KoqkUHA Rl6Ae0WWp9aUIFGjzPCcY4cz8aV/xME4o2JczFYhMSllH0lcTKgEdMi4w3KP+ivX yhHxblaMGsbO3s6BtdPT80qYgqblbeX6S6QN+MhreEEjr6sQ3eSHcTF5bHwcPHCG Yt0N8OS5vosC0lYqTMJkJqIcu8/cxw6Ug5++CCDTO7+d9LaxKwlwVgdPq7zBHMbi BboJC6bpUB34IB7CXt7gvaG/zFjUle3U2F1E9zCpkd98XR7swH1lpXKum77vpoF2 apns8RHsSc62jBbS5OOnvuHlFRX6J5tPCiqt0ZlVyhhSHVyniBq3X8kCYpmSwyxQ gKoaGKb0XQrw4CbF8b6PfUruiNKx3zJNM3iwHNWAJYv+IWt47LOQVni4EU+fU5o6 xvYCXWc2k9784/pGNUQcM/UmDyfjrfs3rgARvirlrTorFnGcpf8+DLJgAcp7q5iR RpUTxrYGbC+VHQ=3D=3D =3DfTuB -----END PGP SIGNATURE----- --===============8366801672570363689== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCadAjxQAKCRCb9qggYcy5 IfaHAP9YthprC30p4S0zh0eHKnIg+dft+T2e5dgZ1nkpBEIbxQD+J5BWByzz0akI Y8st7zH/OYG/KGm1jNiz+TDSf3j9ewM= =bD/t -----END PGP SIGNATURE----- --===============8366801672570363689==-- ]