[DRE-maint] Bug#1118290: ruby-sinatra: CVE-2025-61921
Salvatore Bonaccorso
carnil at debian.org
Mon Oct 20 05:36:50 BST 2025
Hi Antonio,
On Sun, Oct 19, 2025 at 08:08:54PM -0300, Antonio Terceiro wrote:
> On Fri, Oct 17, 2025 at 09:42:40PM +0200, Salvatore Bonaccorso wrote:
> > Source: ruby-sinatra
> > Version: 4.1.1-5
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > Control: found -1 4.1.1-6
> >
> > Hi,
> >
> > The following vulnerability was published for ruby-sinatra.
> >
> > CVE-2025-61921[0]:
> > | Sinatra is a domain-specific language for creating web applications
> > | in Ruby. In versions prior to 4.2.0, there is a denial of service
> > | vulnerability in the `If-Match` and `If-None-Match` header parsing
> > | component of Sinatra, if the `etag` method is used when constructing
> > | the response. Carefully crafted input can cause `If-Match` and `If-
> > | None-Match` header parsing in Sinatra to take an unexpected amount
> > | of time, possibly resulting in a denial of service attack vector.
> > | This header is typically involved in generating the `ETag` header
> > | value. Any applications that use the `etag` method when generating a
> > | response are impacted. Version 4.2.0 fixes the issue.
> [...]
> > [2] https://github.com/sinatra/sinatra/issues/2120
>
> The upstream issue says that this bug is only a problem on Ruby < 3.2,
> what means that only oldstable and older are actually affected.
>
> I'm uploading a new upstream version to unstable containing the fix,
> but this should be marked as not affecting stable.
Thanks for the update. This would be a perfect candidate for the
future nonissue state (as the source is applicable). I have marked it
as "ignored" (only a problem together with Ruby < 3.2).
> I also prepared a bookworm upload: the diff is attached. Please let me
> know if I can just upload that.
We did mark it no-dsa, so can you prepare a point release udpate for
that? Note one comment below:
> diff --git a/debian/changelog b/debian/changelog
> index 7c23102..cdb81b8 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +ruby-sinatra (3.0.5-3+deb13u1) bookworm; urgency=high
The Version should be 3.0.5-3+deb12u1 here for bookworm.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list