ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13727 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media These are all security issues fixed in the ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13727 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13727 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-0262/ SUSE CVE CVE-2013-0262 page https://www.suse.com/security/cve/CVE-2013-0263/ SUSE CVE CVE-2013-0263 page https://www.suse.com/security/cve/CVE-2015-3225/ SUSE CVE CVE-2015-3225 page https://www.suse.com/security/cve/CVE-2018-16471/ SUSE CVE CVE-2018-16471 page https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page https://www.suse.com/security/cve/CVE-2020-8184/ SUSE CVE CVE-2020-8184 page https://www.suse.com/security/cve/CVE-2022-30122/ SUSE CVE CVE-2022-30122 page https://www.suse.com/security/cve/CVE-2022-30123/ SUSE CVE CVE-2022-30123 page https://www.suse.com/security/cve/CVE-2022-44570/ SUSE CVE CVE-2022-44570 page https://www.suse.com/security/cve/CVE-2022-44571/ SUSE CVE CVE-2022-44571 page https://www.suse.com/security/cve/CVE-2022-44572/ SUSE CVE CVE-2022-44572 page https://www.suse.com/security/cve/CVE-2023-27530/ SUSE CVE CVE-2023-27530 page https://www.suse.com/security/cve/CVE-2023-27539/ SUSE CVE CVE-2023-27539 page https://www.suse.com/security/cve/CVE-2024-25126/ SUSE CVE CVE-2024-25126 page https://www.suse.com/security/cve/CVE-2024-26141/ SUSE CVE CVE-2024-26141 page https://www.suse.com/security/cve/CVE-2024-26146/ SUSE CVE CVE-2024-26146 page openSUSE Tumbleweed ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 as a component of openSUSE Tumbleweed rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." CVE-2013-0262 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0262.html CVE-2013-0262 https://bugzilla.suse.com/802795 SUSE Bug 802795 Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. CVE-2013-0263 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0263.html CVE-2013-0263 https://bugzilla.suse.com/802794 SUSE Bug 802794 https://bugzilla.suse.com/809839 SUSE Bug 809839 lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. CVE-2015-3225 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3225.html CVE-2015-3225 https://bugzilla.suse.com/934797 SUSE Bug 934797 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. CVE-2018-16471 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16471.html CVE-2018-16471 https://bugzilla.suse.com/1114828 SUSE Bug 1114828 https://bugzilla.suse.com/1116600 SUSE Bug 1116600 https://bugzilla.suse.com/1122178 SUSE Bug 1122178 There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. CVE-2020-8184 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8184.html CVE-2020-8184 https://bugzilla.suse.com/1173351 SUSE Bug 1173351 https://bugzilla.suse.com/1177352 SUSE Bug 1177352 https://bugzilla.suse.com/1193081 SUSE Bug 1193081 A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. CVE-2022-30122 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30122.html CVE-2022-30122 https://bugzilla.suse.com/1200748 SUSE Bug 1200748 https://bugzilla.suse.com/1201588 SUSE Bug 1201588 A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. CVE-2022-30123 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30123.html CVE-2022-30123 https://bugzilla.suse.com/1200750 SUSE Bug 1200750 A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. CVE-2022-44570 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-44570.html CVE-2022-44570 https://bugzilla.suse.com/1207597 SUSE Bug 1207597 There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. CVE-2022-44571 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-44571.html CVE-2022-44571 https://bugzilla.suse.com/1207599 SUSE Bug 1207599 A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. CVE-2022-44572 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-44572.html CVE-2022-44572 https://bugzilla.suse.com/1207596 SUSE Bug 1207596 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. CVE-2023-27530 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-27530.html CVE-2023-27530 https://bugzilla.suse.com/1209095 SUSE Bug 1209095 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2023-27539 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-27539.html CVE-2023-27539 https://bugzilla.suse.com/1209503 SUSE Bug 1209503 Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack's media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1. CVE-2024-25126 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-25126.html CVE-2024-25126 https://bugzilla.suse.com/1220239 SUSE Bug 1220239 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1. CVE-2024-26141 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-26141.html CVE-2024-26141 https://bugzilla.suse.com/1220242 SUSE Bug 1220242 Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1. CVE-2024-26146 openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-26146.html CVE-2024-26146 https://bugzilla.suse.com/1220248 SUSE Bug 1220248