Security update for rubygem-rack-1_6 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1492-1 Final 1 1 2025-05-06T14:36:01Z current 2025-05-06T14:36:01Z 2025-05-06T14:36:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-rack-1_6 This update for rubygem-rack-1_6 fixes the following issues: - CVE-2025-27111: Fixed Escape Sequence Injection vulnerability (bsc#1238607) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1492,openSUSE-SLE-15.6-2025-1492 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251492-1/ Link for SUSE-SU-2025:1492-1 https://lists.suse.com/pipermail/sle-updates/2025-May/039163.html E-Mail link for SUSE-SU-2025:1492-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1238607 SUSE Bug 1238607 https://www.suse.com/security/cve/CVE-2025-27111/ SUSE CVE CVE-2025-27111 page openSUSE Leap 15.6 ruby2.5-rubygem-rack-1_6-1.6.8-150000.3.6.1 ruby2.5-rubygem-rack-doc-1_6-1.6.8-150000.3.6.1 ruby2.5-rubygem-rack-testsuite-1_6-1.6.8-150000.3.6.1 ruby2.5-rubygem-rack-1_6-1.6.8-150000.3.6.1 as a component of openSUSE Leap 15.6 ruby2.5-rubygem-rack-doc-1_6-1.6.8-150000.3.6.1 as a component of openSUSE Leap 15.6 ruby2.5-rubygem-rack-testsuite-1_6-1.6.8-150000.3.6.1 as a component of openSUSE Leap 15.6 Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11. CVE-2025-27111 openSUSE Leap 15.6:ruby2.5-rubygem-rack-1_6-1.6.8-150000.3.6.1 openSUSE Leap 15.6:ruby2.5-rubygem-rack-doc-1_6-1.6.8-150000.3.6.1 openSUSE Leap 15.6:ruby2.5-rubygem-rack-testsuite-1_6-1.6.8-150000.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251492-1/ https://www.suse.com/security/cve/CVE-2025-27111.html CVE-2025-27111 https://bugzilla.suse.com/1238607 SUSE Bug 1238607