Control: tags 1064516 + patch
Control: tags 1064516 + pending
Dear maintainer,
I've prepared an NMU for ruby-rack (versioned as 2.2.7-1.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should cancel it.
cu
Adrian
diffstat for ruby-rack-2.2.7 ruby-rack-2.2.7
changelog | 10 +
patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 ++++++++++
patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 +++++++++
patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++
patches/series | 3
5 files changed, 140 insertions(+)
diff -Nru ruby-rack-2.2.7/debian/changelog ruby-rack-2.2.7/debian/changelog
--- ruby-rack-2.2.7/debian/changelog 2023-07-10 17:32:41.000000000 +0300
+++ ruby-rack-2.2.7/debian/changelog 2024-05-02 22:55:26.000000000 +0300
@@ -1,3 +1,13 @@
+ruby-rack (2.2.7-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2024-25126: ReDoS in Content Type header parsing
+ * CVE-2024-26141: Reject Range headers which are too large
+ * CVE-2024-26146: ReDoS in Accept header parsing
+ * Closes: #1064516
+
+ -- Adrian Bunk <
bunk@debian.org> Thu, 02 May 2024 22:55:26 +0300
+
ruby-rack (2.2.7-1) unstable; urgency=medium
* Team Upload
diff -Nru ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
--- ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 22:55:26.000