SB2025110468 - Fedora 42 update for rubygem-rack

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2022-44571)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing Content-Disposition header in lib/rack/multipart/parser.rb. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2022-44570)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the get_byte_ranges() function in lib/rack/utils.rb when parsing the Range header. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2022-44572)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing Content-Disposition header in lib/rack/multipart/parser.rb. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Input validation error (CVE-ID: CVE-2023-27530)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input of Multipart MIME header. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

5) Input validation error (CVE-ID: CVE-2023-27539)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing HTTP headers. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

6) Incorrect Regular Expression (CVE-ID: CVE-2024-25126)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in content type parsing (2nd degree polynomial). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

7) Input validation error (CVE-ID: CVE-2024-26141)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Range request header in Rack. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

8) Input validation error (CVE-ID: CVE-2024-26146)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the header parsing. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

9) CRLF injection (CVE-ID: CVE-2025-25184)

The vulnerability allows a remote user to manipulate data log entries.

The vulnerability exists due to insufficient validation of attacker-supplied data in Rack::CommonLogger. A remote user can pass specially crafted authorization credentials containing CR-LF characters to the Rack::Auth::Basic method, which stores this info into the to the env['REMOTE_USER'] variable. If the application accepts CR-LF characters in user name, a remote user can manipulate data log entries.

10) Improper Output Neutralization for Logs (CVE-ID: CVE-2025-27111)

The vulnerability allows a remote attacker to manipulate log entries.

The vulnerability exists due to improper input validation of the X-Sendfile-Type header in Rack::Sendfile when handling. A remote attacker can send specially crafted data containing newline characters via the affected header and manipulate log files.

11) Path traversal (CVE-ID: CVE-2025-27610)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in Rack::Static. A remote attacker can read arbitrary files on the system.

12) Race condition (CVE-ID: CVE-2025-32441)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists because when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session. A remote user can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.

13) Resource exhaustion (CVE-ID: CVE-2025-46727)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

14) Resource exhaustion (CVE-ID: CVE-2025-59830)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the "Rack::QueryParser" function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

15) Resource exhaustion (CVE-ID: CVE-2025-61770)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in Rack::Multipart::Parser. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

16) Resource exhaustion (CVE-ID: CVE-2025-61771)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in Rack::Multipart::Parser when handling file parts. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

17) Resource exhaustion (CVE-ID: CVE-2025-61772)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in Rack::Multipart::Parser when handling multipart headers. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

18) Information disclosure (CVE-ID: CVE-2025-61780)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper handling of headers in "Rack::Sendfile". A remote attacker can bypass proxy-enforced restrictions and access internal endpoints.

19) Resource exhaustion (CVE-ID: CVE-2025-61919)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in "Rack::Request" form parsing. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2025-eae2126736