[DRE-maint] Bug#1118290: ruby-sinatra: CVE-2025-61921
Antonio Terceiro
terceiro at debian.org
Mon Oct 20 00:08:54 BST 2025
On Fri, Oct 17, 2025 at 09:42:40PM +0200, Salvatore Bonaccorso wrote:
> Source: ruby-sinatra
> Version: 4.1.1-5
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 4.1.1-6
>
> Hi,
>
> The following vulnerability was published for ruby-sinatra.
>
> CVE-2025-61921[0]:
> | Sinatra is a domain-specific language for creating web applications
> | in Ruby. In versions prior to 4.2.0, there is a denial of service
> | vulnerability in the `If-Match` and `If-None-Match` header parsing
> | component of Sinatra, if the `etag` method is used when constructing
> | the response. Carefully crafted input can cause `If-Match` and `If-
> | None-Match` header parsing in Sinatra to take an unexpected amount
> | of time, possibly resulting in a denial of service attack vector.
> | This header is typically involved in generating the `ETag` header
> | value. Any applications that use the `etag` method when generating a
> | response are impacted. Version 4.2.0 fixes the issue.
[...]
> [2] https://github.com/sinatra/sinatra/issues/2120
The upstream issue says that this bug is only a problem on Ruby < 3.2,
what means that only oldstable and older are actually affected.
I'm uploading a new upstream version to unstable containing the fix,
but this should be marked as not affecting stable.
I also prepared a bookworm upload: the diff is attached. Please let me
know if I can just upload that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-sinatra-CVE-2025-61921.diff
Type: text/x-diff
Size: 2014 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20251019/6e814c78/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20251019/6e814c78/attachment-0001.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list