[Git][security-tracker-team/security-tracker][master] Add new ruby-rack issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Apr 2 21:55:14 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
322edd97 by Salvatore Bonaccorso at 2026-04-02T22:54:43+02:00
Add new ruby-rack issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -114,13 +114,27 @@ CVE-2026-34835 (Rack is a modular Ruby web server interface. From versions 3.0.0
 CVE-2026-34831 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
 	TODO: check
 CVE-2026-34830 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
+	NOTE: Fixed by: https://github.com/rack/rack/commit/a57bc140247f904dc1e3302badedcb73645072c7 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/59a0966a484f2903833fa3e4c81919d3c645738d (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/7f288de93768b5cc44a5f4ed1ac02470d8fe52f4 (v2.2.23)
 CVE-2026-34829 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
+	NOTE: Fixed by: https://github.com/rack/rack/commit/b3e5945c648c5a5b6982e5072b26e51990991229 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/367a2a0ec6fbef605c9412dadfd5763b7867441f (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/c42e357995065aa0c144eba0215a689d8105e4de (v2.2.23)
 CVE-2026-34828 (listmonk is a standalone, self-hosted, newsletter and mailing list man ...)
 	TODO: check
 CVE-2026-34827 (Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
+	NOTE: Fixed by: https://github.com/rack/rack/commit/bfb69142dbe2a1e3298ad52d12935938d1b58205 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/17ce7836be1523a7b453f3c06fe070ad7c954708 (v3.1.21)
 CVE-2026-34826 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
 	TODO: check
 CVE-2026-34823 (Endian Firewall version 3.3.25 and prior allow stored cross-site scrip ...)
@@ -194,7 +208,12 @@ CVE-2026-34790 (Endian Firewall version 3.3.25 and prior allow authenticated use
 CVE-2026-34786 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
 	TODO: check
 CVE-2026-34785 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
+	NOTE: Fixed by: https://github.com/rack/rack/commit/7a8f32696609b88e2c4c1f09d473a1d2d837ed4b (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/a17cb99b3440a4db09fb920407adf5ead127704c (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/203730e4abb2fac3a0514d6dc3ac56de82bdff9a (v2.2.23)
 CVE-2026-34763 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
 	TODO: check
 CVE-2026-34759 (OneUptime is an open-source monitoring and observability platform. Pri ...)
@@ -372,7 +391,12 @@ CVE-2026-27774 (Local privilege escalation due to DLL hijacking vulnerability. T
 CVE-2026-26962 (Rack is a modular Ruby web server interface. From version 3.2.0 to bef ...)
 	TODO: check
 CVE-2026-26961 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
+	NOTE: Fixed by: https://github.com/rack/rack/commit/1c0b723dbb0a01ac509ce971e0bd859f405a8e61 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/10626530f3c54a0cd54bee1150e851aa238249e4 (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/d3804939c47304cf1e64558f1d713d3116396ae9 (v2.2.23)
 CVE-2026-26928 (SzafirHostdownloads necessary files in the context of the initiating w ...)
 	TODO: check
 CVE-2026-26927 (Szafir SDK Web is a browser plug-in that can run SzafirHost applicatio ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322edd97c38fb5615396056727530e393ac51388

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/322edd97c38fb5615396056727530e393ac51388
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260402/d0115876/attachment.htm>

More information about the debian-security-tracker-commits mailing list