USN-5896-1: Rack vulnerabilities
27 February 2023
Several security issues were fixed in Rack.
Releases
Packages
- ruby-rack - modular Ruby webserver interface
Details
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)
It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. (CVE-2022-30123)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
-
ruby-rack
-
2.1.4-5ubuntu1+esm2
Available with Ubuntu Pro
Ubuntu 20.04
-
ruby-rack
-
2.0.7-2ubuntu0.1+esm2
Available with Ubuntu Pro
Ubuntu 18.04
-
ruby-rack
-
1.6.4-4ubuntu0.2+esm2
Available with Ubuntu Pro
After a standard system update you need to restart any applications using
Rack to make all the necessary changes.
References
Related notices
- USN-5253-1: librack-ruby1.9.1, ruby-rack, librack-ruby1.8, librack-ruby
- USN-7036-1: ruby-rack