{
  "schema_version": "1.7.0",
  "id": "MGASA-2023-0106",
  "published": "2023-03-24T05:55:49Z",
  "modified": "2023-03-24T04:41:51Z",
  "summary": "Updated ruby-rack packages fix security vulnerability",
  "details": "A denial of service vulnerability in the Range header parsing component of\nRack >= 1.5.0. A Carefully crafted input can cause the Range header parsing\ncomponent in Rack to take an unexpected amount of time, possibly resulting\nin a denial of service attack vector. Any applications that deal with Range\nrequests (such as streaming applications, or applications that serve files)\nmay be impacted. (CVE-2022-44570)\n\nThere is a denial of service vulnerability in the Content-Disposition\nparsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This\ncould allow an attacker to craft an input that can cause Content-Disposition\nheader parsing in Rackto take an unexpected amount of time, possibly\nresulting in a denial ofservice attack vector. This header is used typically\nused in multipartparsing. Any applications that parse multipart posts using\nRack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)\n\nA denial of service vulnerability in the multipart parsing component of Rack\nfixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker to\ncraft input that can cause RFC2183 multipart boundary parsing in Rack to\ntake an unexpected amount of time, possibly resulting in a denial of service\nattack vector. Any applications that parse multipart posts using Rack\n(virtually all Rails applications) are impacted. (CVE-2022-44572)\n\nA DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and\n<v2.0.9.3 within in the Multipart MIME parsing code in which could allow an\nattacker to craft requests that can be abuse to cause multipart parsing to\ntake longer than expected. (CVE-2023-27530)\n",
  "upstream": [
    "CVE-2022-44570",
    "CVE-2022-44571",
    "CVE-2022-44572",
    "CVE-2023-27530"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2023-0106.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=31496"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/lts/security/2023/dla-3298"
    },
    {
      "type": "WEB",
      "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/"
    },
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-5910-1"
    },
    {
      "type": "WEB",
      "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:8",
        "name": "ruby-rack",
        "purl": "pkg:rpm/mageia/ruby-rack?arch=source&distro=mageia-8"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.3.1-1.2.mga8"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}