[Git][security-tracker-team/security-tracker][master] Reserve DLA-4357-1 for ruby-rack

Sat Nov 1 20:40:27 GMT 2025


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
19f98efd by Utkarsh Gupta at 2025-11-01T21:40:03+01:00
Reserve DLA-4357-1 for ruby-rack

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -57955,7 +57955,6 @@ CVE-2025-46821 (Envoy is a cloud-native edge/middle/service proxy. Prior to vers
 	- envoyproxy <itp> (bug #987544)
 CVE-2025-46727 (Rack is a modular Ruby web server interface. Prior to versions 2.2.14, ...)
 	- ruby-rack 3.1.16-0.1 (bug #1104927)
-	[bullseye] - ruby-rack <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
 	NOTE: Fixed by: https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74 (v3.1.14)
 	NOTE: Fixed by: https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712 (v3.0.16)
@@ -57994,7 +57993,6 @@ CVE-2025-46336 (Rack::Session is a session management implementation for Rack. I
 	NOTE: Fixed by: https://github.com/rack/rack-session/commit/c58ad7952cc7d0649f0ea9c78d55049739c49e5a (v2.1.1)
 CVE-2025-32441 (Rack is a modular Ruby web server interface. Prior to version 2.2.14,  ...)
 	- ruby-rack 3.0.8-2
-	[bullseye] - ruby-rack <postponed> (Minor issue, prolonging already hihacked session)
 	NOTE: https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
 	NOTE: Fixed by: https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d (2.2.14)
 	NOTE: Related code was moved to rack-session in 3.0.0.beta1 and thus mark 3.0.8-2 as the first


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[01 Nov 2025] DLA-4357-1 ruby-rack - security update
+	{CVE-2025-32441 CVE-2025-46727 CVE-2025-59830 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772 CVE-2025-61780 CVE-2025-61919}
+	[bullseye] - ruby-rack 2.1.4-3+deb11u4
 [31 Oct 2025] DLA-4356-1 ublock-origin - security update
 	[bullseye] - ublock-origin 1.67.0+dfsg-1~deb11u1
 [31 Oct 2025] DLA-4355-1 mediawiki - security update


=====================================
data/dla-needed.txt
=====================================
@@ -301,13 +301,6 @@ rails
   NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11)
   NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc)
 --
-ruby-rack (Utkarsh)
-  NOTE: 20250927: Added by Front-Desk (utkarsh)
-  NOTE: 20250927: also in dsa-needed.txt; will prepare update for both with
-  NOTE: 20250927: maintainer hat on. (utkarsh)
-  NOTE: 20251014: didn't get enough time - was looking at wordpress. but will look soon now. (utkarsh)
-  NOTE: 20251026: backported patches; will test & upload them in the coming week. (utkarsh)
---
 sogo
   NOTE: 20240922: Added by Front-Desk (apo)
   NOTE: 20240922: See also postponed issues.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19f98efd08aac40a4e72d0fb08f95d5f5822e014

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19f98efd08aac40a4e72d0fb08f95d5f5822e014
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251101/525203af/attachment-0001.htm>
