Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Rack
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Rack
ID: USN-7036-1
Distribution: Ubuntu
Plattformen: Ubuntu 22.04 LTS
Datum: Do, 26. September 2024, 21:27
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
Applikationen: RACK

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2659223263743598497==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------Ae0xLQJ1d917Ei0Gp2zQV50k"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------Ae0xLQJ1d917Ei0Gp2zQV50k
Content-Type: multipart/mixed;
boundary="------------2OTR0X70A0nLWwSwYklweL00";
protected-headers="v1"
From: Bruce Cable <bruce.cable@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <a70a00f4-958e-4361-9b83-36d2e7b0dfa7@canonical.com>
Subject: [USN-7036-1] Rack vulnerabilities

--------------2OTR0X70A0nLWwSwYklweL00
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64



==========================================================================
Ubuntu Security Notice USN-7036-1
September 26, 2024

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. (CVE-2022-30123)

It was discovered that Rack did not properly structure regular expressions
in some of its parsing components, which could result in uncontrolled
resource consumption if an application using Rack received specially
crafted input. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-44570, CVE-2022-44571)

It was discovered that Rack did not properly structure regular expressions
in its multipart parsing component, which could result in uncontrolled
resource consumption if an application using Rack to parse multipart posts
received specially crafted input. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2022-44572)

It was discovered that Rack incorrectly handled Multipart MIME parsing.
A remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2023-27530)

It was discovered that Rack incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Rack to consume resources, leading to a denial of service.
(CVE-2023-27539)

It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create
large responses, leading to a denial of service. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  ruby-rack                       2.1.4-5ubuntu1.1

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7036-1
  CVE-2022-30122, CVE-2022-30123, CVE-2022-44570, CVE-2022-44571,
  CVE-2022-44572, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126,
  CVE-2024-26141, CVE-2024-26146,
https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711

Package Information:
  https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubuntu1.1


--------------2OTR0X70A0nLWwSwYklweL00--

--------------Ae0xLQJ1d917Ei0Gp2zQV50k
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEkd98mdFcnQdP7vQkuGrtzot7pOcFAmb1BL0FAwAAAAAACgkQuGrtzot7pOfB
lwv/VsJ+SjTpPzp4sMKwycJTQGuf8kF/LNisGXxg43caJUcW5OxaoaasNKd8HSyXwNgSS1+45owd
b/O4HqjJ49fnasNCuKT5SIM5eNcv7MpOBXVJpZGPe6G800vvF/mnIjWlkNGNp5VqeQs8vJQM9/A5
QRadXjcIJf8i3jatFsfX0UIDdm0rrkPvlPoW4VWfl5wtxPHxbTfv1xGpuMuNgRNDIji1CIXXCgDj
NR2V2+9lgstjpIxlxggM3mQRbBzSAD/wrwlldC+RXhVmSF+NGYujlTCQR9nzrS+Jqm10OT5m/gVC
aWTAjB6h8Hs30PUUxK1ICbK3GXtxuOd16eqjQUWIL+xl39Rx7RpUIqfzXDKxiHVWMmupR4XYsQQ4
/hEdfxBpa7Az+dr4L3ggjn0fJg9HgGa4tc2ODitcNiYeaJmcjWQ+MQRCSpLyd3GA47nD0v+uW2pd
DJ3kJ3jn3HbfataSD+QT8xFzPUWzkEqyOzhLU0g/aME+g4/uV9pfMucffzDe
=9ekc
-----END PGP SIGNATURE-----

--------------Ae0xLQJ1d917Ei0Gp2zQV50k--


--===============2659223263743598497==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============2659223263743598497==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung