Mageia 2023-0106: ruby-rack security update
Summary
A denial of service vulnerability in the Range header parsing component of
Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing
component in Rack to take an unexpected amount of time, possibly resulting
in a denial of service attack vector. Any applications that deal with Range
requests (such as streaming applications, or applications that serve files)
may be impacted. (CVE-2022-44570)
There is a denial of service vulnerability in the Content-Disposition
parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This
could allow an attacker to craft an input that can cause Content-Disposition
header parsing in Rackto take an unexpected amount of time, possibly
resulting in a denial ofservice attack vector. This header is used typically
used in multipartparsing. Any applications that parse multipart posts using
Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)
A denial of service vulnerability in the multipart parsing component of Rack
fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker to
craft input that can cause RFC2183 multipart boundary parsing in Rack to
take an unexpected amount of time, possibly resulting in a denial of service
attack vector. Any applications that parse multipart posts using Rack
(virtually all Rails applications) are impacted. (CVE-2022-44572)
A DoS vulnerability exists in Rack
References
- https://bugs.mageia.org/show_bug.cgi?id=31496
- https://www.debian.org/lts/security/2023/dla-3298
- https://lists.suse.com/pipermail/sle-security-updates/2023-February/013629.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFU3ZHNAUDV7V7P7HFAAT4TJIHOMW5K/
- https://ubuntu.com/security/notices/USN-5910-1
- https://lists.suse.com/pipermail/sle-security-updates/2023-March/014032.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
Resolution
MGASA-2023-0106 - Updated ruby-rack packages fix security vulnerability
SRPMS
- 8/core/ruby-rack-2.2.3.1-1.2.mga8