USN-5253-1

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-5253-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5253-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-5253-1

Related

Published

2022-12-13T11:33:52.138404Z

Modified

2022-12-13T11:33:52.138404Z

Summary

ruby-rack vulnerabilities

Details

It was discovered that Rack insecurely handled session ids. An unauthenticated remote attacker could possibly use this issue to perform a timing attack and hijack sessions. (CVE-2019-16782)

It was discovered that Rack was incorrectly handling cookies during parsing, not validating them or performing the necessary integrity checks. An attacker could possibly use this issue to overwrite existing cookie data and gain control over a remote system's behaviour. This issue only affected Ubuntu 14.04 ESM. (CVE-2020-8184)

It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. This issue was only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application. This issue was only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30123)

References

Affected packages

Ubuntu:Pro:14.04:LTS / ruby-rack

Package

Name: ruby-rack
Purl: pkg:deb/ubuntu/ruby-rack?arch=src?distro=trusty/esm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.2-3+deb8u3ubuntu1~esm4

Affected versions

1.*

1.5.2-1

1.5.2-1ubuntu0.1~esm1

1.5.2-3+deb8u3ubuntu1~esm2

1.5.2-3+deb8u3ubuntu1~esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.5.2-3+deb8u3ubuntu1~esm4",
            "binary_name": "librack-ruby"
        },
        {
            "binary_version": "1.5.2-3+deb8u3ubuntu1~esm4",
            "binary_name": "librack-ruby1.8"
        },
        {
            "binary_version": "1.5.2-3+deb8u3ubuntu1~esm4",
            "binary_name": "librack-ruby1.9.1"
        },
        {
            "binary_version": "1.5.2-3+deb8u3ubuntu1~esm4",
            "binary_name": "ruby-rack"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / ruby-rack

Package

Name: ruby-rack
Purl: pkg:deb/ubuntu/ruby-rack?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.4-3ubuntu0.2+esm2

Affected versions

1.*

1.5.2-4

1.6.4-2

1.6.4-3

1.6.4-3ubuntu0.1

1.6.4-3ubuntu0.2

1.6.4-3ubuntu0.2+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.6.4-3ubuntu0.2+esm2",
            "binary_name": "ruby-rack"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / ruby-rack

Package

Name: ruby-rack
Purl: pkg:deb/ubuntu/ruby-rack?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.4-4ubuntu0.2+esm1

Affected versions

1.*

1.6.4-4

1.6.4-4ubuntu0.1

1.6.4-4ubuntu0.2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.6.4-4ubuntu0.2+esm1",
            "binary_name": "ruby-rack"
        }
    ]
}

Ubuntu:Pro:20.04:LTS / ruby-rack

Package

Name: ruby-rack
Purl: pkg:deb/ubuntu/ruby-rack?arch=src?distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.7-2ubuntu0.1+esm1

Affected versions

2.*

2.0.6-3

2.0.7-2

2.0.7-2ubuntu0.1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.0.7-2ubuntu0.1+esm1",
            "binary_name": "ruby-rack"
        }
    ]
}