Updated ruby-rack packages fix security vulnerabilities
Publication date: 12 Apr 2024Modification date: 12 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-25126 , CVE-2024-26141 , CVE-2024-26146
Description
Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). (CVE-2024-25126) Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). (CVE-2024-26141) Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. (CVE-2024-26146)
References
SRPMS
9/core
- ruby-rack-2.2.8.1-1.mga9