==========================================================================
Ubuntu Security Notice USN-7036-1
September 26, 2024

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. (CVE-2022-30123)

It was discovered that Rack did not properly structure regular expressions
in some of its parsing components, which could result in uncontrolled
resource consumption if an application using Rack received specially
crafted input. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-44570, CVE-2022-44571)

It was discovered that Rack did not properly structure regular expressions
in its multipart parsing component, which could result in uncontrolled
resource consumption if an application using Rack to parse multipart posts
received specially crafted input. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2022-44572)

It was discovered that Rack incorrectly handled Multipart MIME parsing.
A remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2023-27530)

It was discovered that Rack incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Rack to consume resources, leading to a denial of service.
(CVE-2023-27539)

It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create
large responses, leading to a denial of service. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
   ruby-rack                       2.1.4-5ubuntu1.1

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7036-1
   CVE-2022-30122, CVE-2022-30123, CVE-2022-44570, CVE-2022-44571,
   CVE-2022-44572, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126,
   CVE-2024-26141, CVE-2024-26146, 
https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711

Package Information:
   https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubuntu1.1

Ubuntu 7036-1: Rack Security Advisory Updates

September 26, 2024
Several security issues were fixed in Rack.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Rack. Software Description: - ruby-rack: modular Ruby webserver interface Details: It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-30122) It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application. (CVE-2022-30123) It was discovered that Rack did not properly structure regular expressions in some of its parsing components, which could result in uncontrolled resource consumption if an application using Rack received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44570, CVE-2022-44571) It was discovered that Rack did not properly structure regular expressions in its multipart parsing component, which could result in uncontrolled resource consumption if an application using Rack to parse multipart posts received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44572) It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27530) It was discovered that Rack incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27539) It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-25126) It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service. (CVE-2024-26141) It was discovered that Rack incorrectly handled certain crafted headers. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-26146)

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS   ruby-rack                       2.1.4-5ubuntu1.1 After a standard system update you need to restart any applications using Rack to make all the necessary changes.

References

  https://ubuntu.com/security/notices/USN-7036-1

  CVE-2022-30122, CVE-2022-30123, CVE-2022-44570, CVE-2022-44571,

  CVE-2022-44572, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126,

  CVE-2024-26141, CVE-2024-26146,

https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711

Severity

Package Information

  https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubuntu1.1

Related News

Essential Server Security Security Strategies for Administrators
5 - 9 min read
In the current threat landscape, Linux servers have emerged as a dominant force, underpinning approximately 81% of all websites globally. Despite
Google Chooses Passkeys Over Passwords: Examining the Security Benefits for Linux Users
2 - 4 min read
In a bold move towards a future without traditional passwords, Google has introduced secure passkey sign-ins across almost all devices, including
Linux Security Modules (LSM): SELinux vs AppArmor vs TOMOYO
3 - 6 min read
Linux has long been celebrated for its versatility, robustness, and vast array of security features it offers. A key aspect of maintaining and
Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Defending Against Malicious Web Shells: Lessons from the Apache AXIS Server Attack
2 - 4 min read
Hackers have recently been observed actively targeting the Apache AXIS server to deploy malicious web shells, exposing significant vulnerabilities
Emerging Mallox Ransomware Variant Targets Linux Using Kryptina Code
3 - 5 min read
A new variant of the Mallox ransomware, which traditionally targeted Windows systems, has been observed targeting Linux environments. This
TeamTNT Hackers Attacking VPS Servers Running CentOS
3 - 5 min read
Security researchers have recently observed an alarming resurgence of TeamTNT , a notorious hacking group known for targeting cloud infrastructures.
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved