Security update for rubygem-rack SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1131-1 Final 1 1 2024-04-08T09:28:18Z current 2024-04-08T09:28:18Z 2024-04-08T09:28:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-rack This update for rubygem-rack fixes the following issues: - CVE-2024-25126: Fixed a denial-of-service vulnerability in Rack Content-Type parsing (bsc#1220239). - CVE-2024-26141: Fixed a denial-of-service vulnerability in Range request header parsing (bsc#1220242). - CVE-2024-26146: Fixed a denial-of-service vulnerability in Rack headers parsing routine (bsc#1220248). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1131,SUSE-OpenStack-Cloud-Crowbar-8-2024-1131,SUSE-OpenStack-Cloud-Crowbar-9-2024-1131 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241131-1/ Link for SUSE-SU-2024:1131-1 https://lists.suse.com/pipermail/sle-updates/2024-April/034891.html E-Mail link for SUSE-SU-2024:1131-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1220239 SUSE Bug 1220239 https://bugzilla.suse.com/1220242 SUSE Bug 1220242 https://bugzilla.suse.com/1220248 SUSE Bug 1220248 https://www.suse.com/security/cve/CVE-2024-25126/ SUSE CVE CVE-2024-25126 page https://www.suse.com/security/cve/CVE-2024-26141/ SUSE CVE CVE-2024-26141 page https://www.suse.com/security/cve/CVE-2024-26146/ SUSE CVE CVE-2024-26146 page SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ruby2.1-rubygem-rack-1.6.13-3.22.1 ruby2.1-rubygem-rack-doc-1.6.13-3.22.1 ruby2.1-rubygem-rack-testsuite-1.6.13-3.22.1 ruby2.1-rubygem-rack-1.6.13-3.22.1 as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-rack-1.6.13-3.22.1 as a component of SUSE OpenStack Cloud Crowbar 9 Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack's media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1. CVE-2024-25126 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-rack-1.6.13-3.22.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241131-1/ https://www.suse.com/security/cve/CVE-2024-25126.html CVE-2024-25126 https://bugzilla.suse.com/1220239 SUSE Bug 1220239 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1. CVE-2024-26141 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-rack-1.6.13-3.22.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241131-1/ https://www.suse.com/security/cve/CVE-2024-26141.html CVE-2024-26141 https://bugzilla.suse.com/1220242 SUSE Bug 1220242 Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1. CVE-2024-26146 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-rack-1.6.13-3.22.1 moderate 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241131-1/ https://www.suse.com/security/cve/CVE-2024-26146.html CVE-2024-26146 https://bugzilla.suse.com/1220248 SUSE Bug 1220248 https://bugzilla.suse.com/1227310 SUSE Bug 1227310