[DRE-maint] Bug#1109345: unblock: ruby-rack-session/2.1.1-0.1
Bastian Germann
bage at debian.org
Tue Jul 15 15:18:17 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: ruby-rack-session at packages.debian.org
Control: affects -1 + src:ruby-rack-session
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package ruby-rack-session
[ Reason ]
Grave bug #1104928.
[ Impact ]
Security issue enables session recovery.
[ Tests ]
The debdiff introduces a new test to check for the vulnerability.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I have handled this as NMU.
unblock ruby-rack-session/2.1.1-0.1
-------------- next part --------------
diff -Nru ruby-rack-session-2.1.0/debian/changelog ruby-rack-session-2.1.1/debian/changelog
--- ruby-rack-session-2.1.0/debian/changelog 2025-03-08 16:10:24.000000000 +0100
+++ ruby-rack-session-2.1.1/debian/changelog 2025-07-15 13:10:44.000000000 +0200
@@ -1,3 +1,10 @@
+ruby-rack-session (2.1.1-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream version 2.1.1. (Closes: #1104928, CVE-2025-46336)
+
+ -- Bastian Germann <bage at debian.org> Tue, 15 Jul 2025 13:10:44 +0200
+
ruby-rack-session (2.1.0-1) unstable; urgency=medium
* New upstream version 2.1.0.
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/pool.rb ruby-rack-session-2.1.1/lib/rack/session/pool.rb
--- ruby-rack-session-2.1.0/lib/rack/session/pool.rb 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/pool.rb 2025-05-06 12:54:57.000000000 +0200
@@ -53,6 +53,7 @@
def write_session(req, session_id, new_session, options)
@mutex.synchronize do
+ return false unless get_session_with_fallback(session_id)
@pool.store session_id.private_id, new_session
session_id
end
@@ -62,7 +63,12 @@
@mutex.synchronize do
@pool.delete(session_id.public_id)
@pool.delete(session_id.private_id)
- generate_sid(use_mutex: false) unless options[:drop]
+
+ unless options[:drop]
+ sid = generate_sid(use_mutex: false)
+ @pool.store(sid.private_id, {})
+ sid
+ end
end
end
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/version.rb ruby-rack-session-2.1.1/lib/rack/session/version.rb
--- ruby-rack-session-2.1.0/lib/rack/session/version.rb 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/version.rb 2025-05-06 12:54:57.000000000 +0200
@@ -5,6 +5,6 @@
module Rack
module Session
- VERSION = "2.1.0"
+ VERSION = "2.1.1"
end
end
diff -Nru ruby-rack-session-2.1.0/releases.md ruby-rack-session-2.1.1/releases.md
--- ruby-rack-session-2.1.0/releases.md 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/releases.md 2025-05-06 12:54:57.000000000 +0200
@@ -1,5 +1,9 @@
# Releases
+## v2.1.1
+
+ - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+
## v2.1.0
- Improved compatibility with Ruby 3.3+ and Rack 3+.
diff -Nru ruby-rack-session-2.1.0/test/spec_session_pool.rb ruby-rack-session-2.1.1/test/spec_session_pool.rb
--- ruby-rack-session-2.1.0/test/spec_session_pool.rb 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/test/spec_session_pool.rb 2025-05-06 12:54:57.000000000 +0200
@@ -288,4 +288,52 @@
res = Rack::MockRequest.new(app).get("/")
res["Set-Cookie"].must_be_nil
end
+
+ user_id_session = Rack::Lint.new(lambda do |env|
+ session = env["rack.session"]
+
+ case env["PATH_INFO"]
+ when "/login"
+ session[:user_id] = 1
+ when "/logout"
+ if session[:user_id].nil?
+ raise "User not logged in"
+ end
+
+ session.delete(:user_id)
+ session.options[:renew] = true
+ when "/slow"
+ Fiber.yield
+ end
+
+ Rack::Response.new(session.inspect).to_a
+ end)
+
+ it "doesn't allow session id to be reused" do
+ app = Rack::Session::Pool.new(user_id_session)
+
+ login_response = Rack::MockRequest.new(app).get("/login")
+ login_cookie = login_response["Set-Cookie"]
+
+ slow_request = Fiber.new do
+ Rack::MockRequest.new(app).get("/slow", "HTTP_COOKIE" => login_cookie)
+ end
+ slow_request.resume
+
+ # Check that the session is valid:
+ response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie)
+ response.body.must_equal({"user_id" => 1}.to_s)
+
+ logout_response = Rack::MockRequest.new(app).get("/logout", "HTTP_COOKIE" => login_cookie)
+ logout_cookie = logout_response["Set-Cookie"]
+
+ # Check that the session id is different after logout:
+ login_cookie[session_match].wont_equal logout_cookie[session_match]
+
+ slow_response = slow_request.resume
+
+ # Check that the cookie can't be reused:
+ response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie)
+ response.body.must_equal "{}"
+ end
end
More information about the Pkg-ruby-extras-maintainers
mailing list