[Git][security-tracker-team/security-tracker][master] Add some more ruby-rack issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
020d7e58 by Salvatore Bonaccorso at 2026-04-02T23:18:12+02:00
Add some more ruby-rack issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -110,9 +110,18 @@ CVE-2026-34876 (An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-
 	- mbedtls <unfixed>
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/
 CVE-2026-34835 (Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
+	NOTE: Fixed by: https://github.com/rack/rack/commit/224662608dad63b31ba138d7e76e4ca8e42e9fc6 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/c49558af795b4c1978d16db071c8344db05a2b0d (v3.1.21)
 CVE-2026-34831 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
+	NOTE: Fixed by: https://github.com/rack/rack/commit/10ecd9a8a02083297f925f0d9255a93ebde4c0da (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/367a2a0ec6fbef605c9412dadfd5763b7867441f (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/a75847314e8ad847a5b66e7215381c4ed51f6aa7 (v2.2.23)
 CVE-2026-34830 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
 	[experimental] - ruby-rack 3.2.6-1
 	- ruby-rack <unfixed>
@@ -136,7 +145,12 @@ CVE-2026-34827 (Rack is a modular Ruby web server interface. From versions 3.0.0
 	NOTE: Fixed by: https://github.com/rack/rack/commit/bfb69142dbe2a1e3298ad52d12935938d1b58205 (v3.2.6)
 	NOTE: Fixed by: https://github.com/rack/rack/commit/17ce7836be1523a7b453f3c06fe070ad7c954708 (v3.1.21)
 CVE-2026-34826 (Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
+	NOTE: Fixed by: https://github.com/rack/rack/commit/9138756fb0bcfb500abbb0b8ed90bc24911ff6a3 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/345a4cfa51f451e58b2931322998e04f3cf6dc0d (v3.1.21)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/94a7ca91a750ced0e445f39fabbc8ee6d2ab3bf1 (v2.2.23)
 CVE-2026-34823 (Endian Firewall version 3.3.25 and prior allow stored cross-site scrip ...)
 	TODO: check
 CVE-2026-34822 (Endian Firewall version 3.3.25 and prior allow stored cross-site scrip ...)
@@ -323,7 +337,11 @@ CVE-2026-33271 (Local privilege escalation due to insecure folder permissions. T
 CVE-2026-32871 (FastMCP is a Pythonic way to build MCP servers and clients. Prior to v ...)
 	TODO: check
 CVE-2026-32762 (Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
-	TODO: check
+	[experimental] - ruby-rack 3.2.6-1
+	- ruby-rack <unfixed>
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
+	NOTE: Fixed by: https://github.com/rack/rack/commit/27e06c695f3a47bdd9d21a1a7e8d97e12c52c255 (v3.2.6)
+	NOTE: Fixed by: https://github.com/rack/rack/commit/9df5d34d4f496b22b8d07e919447e9dfa3240d41 (v3.1.21)
 CVE-2026-32629 (phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1 ...)
 	TODO: check
 CVE-2026-32145 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/020d7e58d452473352013fc23d8c8155064df084

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/020d7e58d452473352013fc23d8c8155064df084
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260402/cd8d43e8/attachment-0001.htm>