Home / mailings [USN-8066-1] Rack vulnerabilities
Posted on 26 February 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8066-1
February 26, 2026
ruby-rack vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Rack.
Software Description:
- ruby-rack: modular Ruby webserver interface
Details:
Minh Pham Quang discovered that Rack did not correctly handle parsing
certain paths, which could lead to a path traversal attack. An attacker
could possibly use this issue to leak sensitive information.
(CVE-2026-22860)
Ali Firas discovered that Rack did not correctly sanitize certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-25500)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
ruby-rack 3.1.16-0.1ubuntu0.2
Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.6
Ubuntu 22.04 LTS
ruby-rack 2.1.4-5ubuntu1.2+esm2
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ruby-rack 2.0.7-2ubuntu0.1+esm9
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8066-1
CVE-2026-22860, CVE-2026-25500
Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/3.1.16-0.1ubuntu0.2
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.6
--===============1158694866967854231==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
