[DRE-maint] Bug#1118453: bookworm-pu: package ruby-sinatra/3.0.5-3+deb12u1

Mon Oct 20 13:10:10 BST 2025

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ruby-sinatra at packages.debian.org
Control: affects -1 + src:ruby-sinatra
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
This update fixes a possible Regular Expression related DoS that is
publicly reported as CVE-2025-61921. It has been fixed in unstable with
4.2.1-1. stable (trixie) is not affected as it only applies for Ruby
versions < 3.2.

[ Impact ]
Depending on the application, a specially crafted request can cause a
DoS.

[ Tests ]
The fix is trivial and just replaces a potentially vulnerable regular
expression with a different implementation. All the tests from the
package itself still pass. I also tested the reverse dependencies that
are applications (pcs and schleuder) via autopkgtest and this change
causes no regression.

[ Risks ]
I can't see any.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- 1-line patch cherry-picked from upstream
- 1-line change to debian/gbp.conf to make it easier to provide future
  updates.

[ Other info ]
Since this is trivial, I already uploaded it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-sinatra-bookworm.diff
Type: text/x-diff
Size: 2016 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20251020/09023c6f/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20251020/09023c6f/attachment.sig>