Home / mailingsPDF  

[USN-7960-1] Rack vulnerabilities

Posted on 15 January 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7960-1
January 14, 2026

ruby-rack vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)

It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)

It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of service. This issue was only addressed in Ubuntu
22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61771)

It was discovered that Rack did not properly handle certain headers. An
attacker could possibly use this issue to bypass proxy access
restrictions and obtain sensitive information. (CVE-2025-61780)

Tomoya Yamashita discovered that Rack did not properly manage memory
under certain circumstances. An attacker could possibly use this issue to
cause memory exhaustion, leading to a denial of service. This issue was
only addressed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
and Ubuntu 25.10. (CVE-2025-61919)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
ruby-rack 3.1.16-0.1ubuntu0.1

Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.5

Ubuntu 22.04 LTS
ruby-rack 2.1.4-5ubuntu1.2

Ubuntu 20.04 LTS
ruby-rack 2.0.7-2ubuntu0.1+esm8
Available with Ubuntu Pro

Ubuntu 18.04 LTS
ruby-rack 1.6.4-4ubuntu0.2+esm9
Available with Ubuntu Pro

Ubuntu 16.04 LTS
ruby-rack 1.6.4-3ubuntu0.2+esm9
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7960-1
CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772,
CVE-2025-61780, CVE-2025-61919

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/3.1.16-0.1ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.5
https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubuntu1.2

--===============8962861461556675096==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :