Mageia 9 ruby-rack Critical Multiple Threats Security Update 2026-0226
mageia
June 18, 2026
Security update
Summary
Description: CVE-2026-26961 Greedy multipart boundary parsing can cause parser differentials and WAF bypass. `Forwarded` header semicolon injection enables `Host` and `Scheme` spoofing. CVE-2026-34230 Quadratic complexity in `Rack::Utils.select_best_encoding` via wildcard `Accept-Encoding` header. CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in `Rack::Directory`. CVE-2026-34785 `Rack::Static` prefix matching can expose unintended files under the static root. CVE-2026-34786 `Rack::Static` `header_rules` bypass via URL-encoded path mismatch. CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges. CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters. CVE-2026-34829 Multipart parsing without `Content-Length` header allows unbounded chunked file uploads. CVE-2026-34830 `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-R...
References
- https://bugs.mageia.org/show_bug.cgi?id=35446
- https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
- https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
- https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
- https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
- https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
- https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
- https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
- https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
- https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
- https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
- https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
- https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
- https://www.cve.org/CVERecord?id=CVE-2026-26961
- https://www.cve.org/CVERecord?id=CVE-2026-32762
- https://www.cve.org/CVERecord?id=CVE-2026-34230
- https://www.cve.org/CVERecord?id=CVE-2026-34763
- https://www.cve.org/CVERecord?id=CVE-2026-34785
- https://www.cve.org/CVERecord?id=CVE-2026-34786
- https://www.cve.org/CVERecord?id=CVE-2026-34826
- https://www.cve.org/CVERecord?id=CVE-2026-34827
- https://www.cve.org/CVERecord?id=CVE-2026-34829
- https://www.cve.org/CVERecord?id=CVE-2026-34830
- https://www.cve.org/CVERecord?id=CVE-2026-34831
- https://www.cve.org/CVERecord?id=CVE-2026-34835
Topics Covered
Resolution
SRPMS
- 9/core/ruby-rack-2.2.23-1.mga9
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date:18 Jun 2026
URL: https://advisories.mageia.org/MGASA-2026-0226.html
Type: security
CVE: CVE-2026-26961, CVE-2026-32762, CVE-2026-34230, CVE-2026-34763, CVE-2026-34785, CVE-2026-34786, CVE-2026-34826, CVE-2026-34827, CVE-2026-34829, CVE-2026-34830, CVE-2026-34831, CVE-2026-34835
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!