|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-26141: rubygem-rack,rubygem-rack-1_4,rubygem-rack-1_6: rubygem-rack: Denial of Service Vulnerability in Range request header parsing | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | andrea.mattiazzo, pgajdos |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/394940/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-26141:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-02-23 09:00:08 UTC
Tracking as affected: - SUSE:SLE-15:Update/rubygem-rack - openSUSE:Factory/rubygem-rack (In reply to Andrea Mattiazzo from comment #1) > Tracking as affected: > - SUSE:SLE-15:Update/rubygem-rack > - openSUSE:Factory/rubygem-rack Tracking also as affected: - SUSE:SLE-12:Update/rubygem-rack-1_4 - SUSE:SLE-12:Update/rubygem-rack Additional references: https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944 Submit into devel project: https://build.opensuse.org/request/show/1152288 https://discuss.rubyonrails.org/uploads/short-url/lQjLaFuxl2weKovlsJZptrXfIyB.patch (2-2-range.patch from https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944) Submitted for 15,12/rubygem-rack and 12/rubygem-rack-1_4. I believe all fixed. SUSE-SU-2024:0765-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Sources used: openSUSE Leap 15.5 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rubygem-rack-2.0.8-150000.3.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0946-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:33004](https://smelt.suse.de/incident/33004/) Sources used: Containers Module 12 (src): rubygem-rack-1_4-1.4.5-9.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1131-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:32805](https://smelt.suse.de/incident/32805/) Sources used: SUSE OpenStack Cloud Crowbar 8 (src): rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9 (src): rubygem-rack-1.6.13-3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |