Ubuntu alert USN-7960-1 (ruby-rack)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7960-1] Rack vulnerabilities | |
| Date: | Thu, 15 Jan 2026 08:19:37 +0000 | |
| Message-ID: | <E1vgIZt-0004Dy-5r@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7960-1 January 14, 2026 ruby-rack vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Rack. Software Description: - ruby-rack: modular Ruby webserver interface Details: It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2025-59830) It was discovered that Rack did not properly handle certain multipart form data. An attacker could possibly use this issue to cause memory exhaustion, leading to a denial of service. This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61770, CVE-2025-61772) It was discovered that Rack did not properly handle certain form fields. An attacker could possibly use this issue to cause memory exhaustion, leading to a denial of service. This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61771) It was discovered that Rack did not properly handle certain headers. An attacker could possibly use this issue to bypass proxy access restrictions and obtain sensitive information. (CVE-2025-61780) Tomoya Yamashita discovered that Rack did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause memory exhaustion, leading to a denial of service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61919) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 ruby-rack 3.1.16-0.1ubuntu0.1 Ubuntu 24.04 LTS ruby-rack 2.2.7-1ubuntu0.5 Ubuntu 22.04 LTS ruby-rack 2.1.4-5ubuntu1.2 Ubuntu 20.04 LTS ruby-rack 2.0.7-2ubuntu0.1+esm8 Available with Ubuntu Pro Ubuntu 18.04 LTS ruby-rack 1.6.4-4ubuntu0.2+esm9 Available with Ubuntu Pro Ubuntu 16.04 LTS ruby-rack 1.6.4-3ubuntu0.2+esm9 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7960-1 CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61780, CVE-2025-61919 Package Information: https://launchpad.net/ubuntu/+source/ruby-rack/3.1.16-0.1... https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubu... https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubu...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmlomhAACgkQcpJm3tlz hgGLYQ/5Aa6jMTtMQ2ObcLPp3/4rhkPt7Hv9DPKsJRMjebZHHzOsck2L2zbxi3n2 b0EC3Umm3cEXvuVfxgMdoFKect7zwWjWYfiSil5umGuUh4asWrb6FLFKDFz0Bn1N Bge007Tdlf4FJKkg7A1Soq/ERIHR46rju3GhwrWz3ZnB3nqUXQP2Xab3S/3lHVpU qE7jW7oZv4J1WvKnHylMg9zgW9M3ObHZbbzW18EhxVjk42iEdTFmwC8Gi5YwMb9z jLSqgZqxwPFtoKH1dXptmXFfN0qNinar+L/BCFbYx1dRsC1E6D8MtwW1k5m81tZ3 4iwAnPzyF0/MjYueeOYG06OElXOxklTx5nVPu4Z1fzdSqa1hR51qYfqeff64vXTC YQMwLM5pglwY7VbC6cVKBshaDakiZeSC+D0DWZMHZs6dK9np24CULOzVEnBmuFeq ZdiHhbeS6nNPZHPZp3SBYFZkIvlyzXVGwYPt1awWYPf1XIJueo4nFDrw7IMjkwqd JLTP7QNwLwmNQMRH4XUzZwArmXvAZ09mGGAXAbT8HNx2dLVkH2iu4AI8K3EL868Q 6Uy59MtAivrT/N823/omsG0seDSrGoCRhDf4bsY7cSPOsmD5CuGOhboOOEh3wYPp FJNvQynHjEefHlYZttpt6/QCQgDT8bn4DOvyBtU6bSaT5cA1iVg= =hHPF -----END PGP SIGNATURE-----