Advisories » MGASA-2024-0123

Updated ruby-rack packages fix security vulnerabilities

Publication date: 12 Apr 2024
Modification date: 12 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-25126 , CVE-2024-26141 , CVE-2024-26146

Description

Carefully crafted content type headers can cause Rack’s media type
parser to take much longer than expected, leading to a possible denial
of service vulnerability (ReDos 2nd degree polynomial). (CVE-2024-25126)
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could
lead to a denial of service issue. Vulnerable applications will use the
`Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this
includes Rails applications). (CVE-2024-26141)
Carefully crafted headers can cause header parsing in Rack to take
longer than expected resulting in a possible denial of service issue.
Accept and Forwarded headers are impacted. (CVE-2024-26146)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33075
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146

SRPMS

9/core

• ruby-rack-2.2.8.1-1.mga9