Bugzilla – Bug 1220242
VUL-0: CVE-2024-26141: rubygem-rack,rubygem-rack-1_4,rubygem-rack-1_6: rubygem-rack: Denial of Service Vulnerability in Range request header parsing
Last modified: 2024-04-08 12:31:20 UTC
There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26141 https://bugzilla.redhat.com/show_bug.cgi?id=2265594 Patch: https://github.com/rack/rack/commit/fb4c1cde8f98e06aa0dd03f9904961660978dfd8
Tracking as affected: - SUSE:SLE-15:Update/rubygem-rack - openSUSE:Factory/rubygem-rack
(In reply to Andrea Mattiazzo from comment #1) > Tracking as affected: > - SUSE:SLE-15:Update/rubygem-rack > - openSUSE:Factory/rubygem-rack Tracking also as affected: - SUSE:SLE-12:Update/rubygem-rack-1_4 - SUSE:SLE-12:Update/rubygem-rack
Additional references: https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
Submit into devel project: https://build.opensuse.org/request/show/1152288
https://discuss.rubyonrails.org/uploads/short-url/lQjLaFuxl2weKovlsJZptrXfIyB.patch (2-2-range.patch from https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944)
Submitted for 15,12/rubygem-rack and 12/rubygem-rack-1_4. I believe all fixed.
SUSE-SU-2024:0765-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Sources used: openSUSE Leap 15.5 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rubygem-rack-2.0.8-150000.3.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0946-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:33004](https://smelt.suse.de/incident/33004/) Sources used: Containers Module 12 (src): rubygem-rack-1_4-1.4.5-9.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1131-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:32805](https://smelt.suse.de/incident/32805/) Sources used: SUSE OpenStack Cloud Crowbar 8 (src): rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9 (src): rubygem-rack-1.6.13-3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.