An update for rubygem-rack is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1822 Final 1.0 1.0 2024-07-12 Initial 2024-07-12 2024-07-12 openEuler SA Tool V1.0 2024-07-12 rubygem-rack security update An update for rubygem-rack is now available for openEuler-22.03-LTS-SP1 Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Security Fix(es): A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572) Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141) An update for rubygem-rack is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High rubygem-rack https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1822 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-44572 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-26141 https://nvd.nist.gov/vuln/detail/CVE-2022-44572 https://nvd.nist.gov/vuln/detail/CVE-2024-26141 openEuler-22.03-LTS-SP1 rubygem-rack-2.2.3.1-4.oe2203sp1.noarch.rpm rubygem-rack-help-2.2.3.1-4.oe2203sp1.noarch.rpm rubygem-rack-2.2.3.1-4.oe2203sp1.src.rpm A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. 2024-07-12 CVE-2022-44572 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H rubygem-rack security update 2024-07-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1822 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1. 2024-07-12 CVE-2024-26141 openEuler-22.03-LTS-SP1 Medium 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L rubygem-rack security update 2024-07-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1822