Updated ruby-rack packages fix security vulnerabilities
Publication date: 18 Jun 2026Modification date: 18 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-26961 , CVE-2026-32762 , CVE-2026-34230 , CVE-2026-34763 , CVE-2026-34785 , CVE-2026-34786 , CVE-2026-34826 , CVE-2026-34827 , CVE-2026-34829 , CVE-2026-34830 , CVE-2026-34831 , CVE-2026-34835
Description
CVE-2026-26961 Greedy multipart boundary parsing can cause parser
differentials and WAF bypass. `Forwarded` header semicolon injection
enables `Host` and `Scheme` spoofing.
CVE-2026-34230 Quadratic complexity in
`Rack::Utils.select_best_encoding` via wildcard `Accept-Encoding`
header.
CVE-2026-34763 Root directory disclosure via unescaped regex
interpolation in `Rack::Directory`.
CVE-2026-34785 `Rack::Static` prefix matching can expose unintended
files under the static root.
CVE-2026-34786 `Rack::Static` `header_rules` bypass via URL-encoded path
mismatch.
CVE-2026-34826 Multipart byte range processing allows denial of service
via excessive overlapping ranges.
CVE-2026-34827 Multipart header parsing allows denial of service via
escape-heavy quoted parameters.
CVE-2026-34829 Multipart parsing without `Content-Length` header allows
unbounded chunked file uploads.
CVE-2026-34830 `Rack::Sendfile` header-based `X-Accel-Mapping` regex
injection enables unauthorized `X-Accel-Redirect`.
CVE-2026-34831 `Content-Length` mismatch in `Rack::Files` error
responses.
CVE-2026-34835 `Rack::Request` accepts invalid Host characters, enabling
host allowlist bypass.
References
- https://bugs.mageia.org/show_bug.cgi?id=35446
- https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
- https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
- https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
- https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
- https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
- https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
- https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
- https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
- https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
- https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
- https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
- https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
- https://www.cve.org/CVERecord?id=CVE-2026-26961
- https://www.cve.org/CVERecord?id=CVE-2026-32762
- https://www.cve.org/CVERecord?id=CVE-2026-34230
- https://www.cve.org/CVERecord?id=CVE-2026-34763
- https://www.cve.org/CVERecord?id=CVE-2026-34785
- https://www.cve.org/CVERecord?id=CVE-2026-34786
- https://www.cve.org/CVERecord?id=CVE-2026-34826
- https://www.cve.org/CVERecord?id=CVE-2026-34827
- https://www.cve.org/CVERecord?id=CVE-2026-34829
- https://www.cve.org/CVERecord?id=CVE-2026-34830
- https://www.cve.org/CVERecord?id=CVE-2026-34831
- https://www.cve.org/CVERecord?id=CVE-2026-34835
SRPMS
9/core
- ruby-rack-2.2.23-1.mga9