-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.0576
                         ruby-rack security update
                              31 January 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-rack
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-44572 CVE-2022-44571 CVE-2022-44570
                   CVE-2020-8184 CVE-2020-8161 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html

Comment: CVSS (Max):  8.6 CVE-2020-8161 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
         CVSS Source: [NVD], Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-3298-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
January 31, 2023                            https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : ruby-rack
Version        : 2.0.6-3+deb10u2
CVE ID         : CVE-2020-8161 CVE-2020-8184 CVE-2022-44570
                 CVE-2022-44571 CVE-2022-44572
Debian Bug     : 963477 1029832

Several vulnerabilities, like directory traversal vulnerability,
ReDoS vulnerability, et al, were found in ruby-rack, a modular Ruby
webserver interface.

For Debian 10 buster, these problems have been fixed in version
2.0.6-3+deb10u2.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmPYPHYACgkQgj6WdgbD
S5ZWNhAAnisOGZWXl/esKlk7ABi8RIKfFp+33tEAXuNFp7PlNL+qVz7hZb/707vo
ZdWiG2adsdA/7YH72zFCVyAaEHxKqpbf/6SRw5sBMnHcp5bUNlSrY99ZAt2lTQ9i
ZZAMhXPYqwWVRp9LuyfjIw4UviS2iFj5IjtjdonsBFgKdW0MZ2M0SQbTT+hjHl05
BDrmPdNXMI8i6AzJloNhZuolc1udC4bSkMw5triQ3fweyoAcF7hVbNlAOlrbHN92
5QljywKm/oq7apNkzq8jpV7V56XGMDpOHUGYpi+ynqh3yRW324B1SxHzH7ifrpCO
l8r8xb+HcYaaqMC//bkhLGWVudclYMxl9i3zlwUNTzYEbx13wZFkan5GDy3fJEQq
GjYRtoiYYt5A7WIZw0B1EuPjXDQYIT2gyrFJwkOELI0N0i9Mkrz8pb4qnttcekCy
BION9qSv6ks5iyDgnbAGir6QOj+2BpRtSdJ7Wit/CCXOg3b8nheFl1TCi8vIuv5c
7NCrTmpPp7Td58TZlwWh6DRJHmgK1DJAVy0XVx33rwL1qrcsZL3Lieo5GfMlBfNl
7TVeyt20DEncrrOrOO/19ulvOr0U4blrwbPyg28UaYhKf6x3W+xtTs/58HlfuHQA
/4beFEUW6IXt4dc4nj0zI6AEPzUyKxsGUlAmdEXx6hVWlz7iO2Q=
=yxEx
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY9ikcskNZI30y1K9AQi1ZA/7BVABvgBu6wZycQVMwAB3Bi/y1CEAaSKZ
vkwhIxcRzAdBvTmjgdlQBNC34w+BcVdqTn9brPgPavPDrzno9fFG7H94u9+IebNK
zp1EV8HpK9GvdqNbZDUJRNBWCmjnfosncHjNLai0yF/9K/H/AENKeOLkIHz0DkIj
89o38oy3DpD1Oe/dsN34kQEwBYcC75AU2hKeEbKyGsGly8xHFcvRDdB8J65l40zz
ggmqxLPAUWICwfvmexo1HNjGW6imhCX7b6UeKQtVq2gEE0YIUeQc+FBjzJEDGLq5
XXzPPgS6dNuktBuUrswreoAraGEMGkiBNaH1yFGiDOZunJ1rIo89sAdobr8LgmRl
fM+i0j/VLLs8zJGtRQtprhnJvjp0pIYPl3XxR1YhnIo/ZpMgi2CMNUQOdezoq8rG
bEKavuc0BuqsmNarxe46qOZVDtvw5BGy3XtrNYdyCBAlP4h8LKhJzyLMRUkyCNPd
c5pRRC2HtJxL8qNGRY4uHhRBKIya9zSN3dt6eEMWeDJ5l6cPx1VJFX2oPZHVlxsn
An/egGrxzDsx9HxYG03I3XxpLd7kw42gO08y0brDOXdMLGKsNwdbxAj6z05/UoFR
Knes0mv5rKhLdpF6sKpHBehjL/VJKkXZpW8zAtxBTG/pcgGyd6ljClkNeZ7JH9U+
w/c4cdrEyqI=
=ZEYL
-----END PGP SIGNATURE-----