Bugzilla – Bug 1220248
VUL-0: CVE-2024-26146: rubygem-rack,rubygem-rack-1_4,rubygem-rack-1_6: rubygem-rack: Denial of Service vulnerability in Rack headers parsing routine
Last modified: 2024-04-08 12:31:20 UTC
There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26146 https://bugzilla.redhat.com/show_bug.cgi?id=2265595 https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942 Patch: https://github.com/rack/rack/commit/934ed4fb701b491863803833ebc205fbb1e3265a
Tracking as affected: - SUSE:SLE-12:Update/rubygem-rack - SUSE:SLE-12:Update/rubygem-rack-1_4 - SUSE:SLE-15:Update/rubygem-rack - openSUSE:Factory/rubygem-rack
Submit into devel project: https://build.opensuse.org/request/show/1152288
https://discuss.rubyonrails.org/uploads/short-url/sHpVdOeeOaR26vR4Jxr3m9F1eVp.patch (2-0-header-redos.patch from https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942)
Submitted for 15,12/rubygem-rack and 12/rubygem-rack-1_4. I believe all fixed.
SUSE-SU-2024:0765-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Sources used: openSUSE Leap 15.5 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-rack-2.0.8-150000.3.21.2 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rubygem-rack-2.0.8-150000.3.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0946-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:33004](https://smelt.suse.de/incident/33004/) Sources used: Containers Module 12 (src): rubygem-rack-1_4-1.4.5-9.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1131-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220239, 1220242, 1220248 CVE References: CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 Maintenance Incident: [SUSE:Maintenance:32805](https://smelt.suse.de/incident/32805/) Sources used: SUSE OpenStack Cloud Crowbar 8 (src): rubygem-rack-1.6.13-3.22.1 SUSE OpenStack Cloud Crowbar 9 (src): rubygem-rack-1.6.13-3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.