Source: ruby-rack
Version: 3.1.12-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.2.6.4-1
Control: found -1 2.2.13-1~deb12u1

Hi,

The following vulnerability was published for ruby-rack.

CVE-2025-46727[0]:
| Rack is a modular Ruby web server interface. Prior to versions
| 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings
| and `application/x-www-form-urlencoded` bodies into Ruby data
| structures without imposing any limit on the number of parameters,
| allowing attackers to send requests with extremely large numbers of
| parameters. The vulnerability arises because `Rack::QueryParser`
| iterates over each `&`-separated key-value pair and adds it to a
| Hash without enforcing an upper bound on the total number of
| parameters. This allows an attacker to send a single request
| containing hundreds of thousands (or more) of parameters, which
| consumes excessive memory and CPU during parsing. An attacker can
| trigger denial of service by sending specifically crafted HTTP
| requests, which can cause memory exhaustion or pin CPU resources,
| stalling or crashing the Rack server. This results in full service
| disruption until the affected worker is restarted. Versions 2.2.14,
| 3.0.16, and 3.1.14 fix the issue. Some other mitigations are
| available. One may use middleware to enforce a maximum query string
| size or parameter count, or employ a reverse proxy (such as Nginx)
| to limit request sizes and reject oversized query strings or bodies.
| Limiting request body sizes and query string lengths at the web
| server or CDN level is an effective mitigation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-46727
https://www.cve.org/CVERecord?id=CVE-2025-46727
[1] https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
[2] https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Processing control commands:

tags -1 patch

Bug #1104927 [src:ruby-rack] ruby-rack: CVE-2025-46727
Added tag(s) patch.

--
1104927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: tags -1 patch

I am uploading a NMU to fix this.
Please find the debdiff attached.

diff -Nru ruby-rack-3.1.12/CHANGELOG.md ruby-rack-3.1.16/CHANGELOG.md
--- ruby-rack-3.1.12/CHANGELOG.md 2025-03-10 22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/CHANGELOG.md 2025-06-05 00:27:50.000000000 +0200
@@ -2,6 +2,20 @@

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).

+## [3.1.15] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
+## [3.1.14] - 2025-05-06
+
+### Security
+
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+
+## [3.1.13] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
## [3.1.12] - 2025-03-11

### Security
@@ -129,6 +143,24 @@

- In

This is a multi-part message in MIME format...

Your message dated Tue, 15 Jul 2025 17:04:40 +0000
with message-id <E1ubj56-00Dk6x-27@fasolo.debian.org>
and subject line Bug#1104927: fixed in ruby-rack 3.1.16-0.1
has caused the Debian Bug report #1104927,
regarding ruby-rack: CVE-2025-46727
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1104927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 8 May 2025 19:22:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-111.4 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FOURLA,FROMDEVELOPER,MD5_SHA1_SUM,
SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,
USER_IN_DKIM_WHITELIST,XMAILER_REPORTBUG autolearn=ham
autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 28; hammy, 150; neutral, 135; spammy,
0. spammytokens:
hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: <carnil@debian.org>
Received: from stravinsky.debian.org ([2001:41b