Potential Denial of Service Vulnerability in Rack There is a potential denial of service vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2015-3225. Versions Affected: All. Not affected: None. Fixed Versions: 1.6.2, 1.5.4 Impact ------ Carefully crafted requests can cause a `SystemStackError` and potentially cause a denial of service attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-deep_params.patch - Patch for 1.6 series * 1-5-deep_params.patch - Patch for 1.5 series Please note that only the 1.6.x and 1.5.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Special thanks to Tomek Rabczak from the NCC Group for reporting this!
dev-ruby/rack-1.5.4 and dev-ruby/rack-1.6.2 are now in the tree.
Please test and mark stable: =dev-ruby/rack-1.5.4
the 1.4 slot is stabilized, am I correct in assessing this should be EOLed in GLSA?
(In reply to Kristian Fiskerstrand from comment #3) > the 1.4 slot is stabilized, am I correct in assessing this should be EOLed > in GLSA? After discussing this with upstream they released rack 1.4.6 so we can keep Rails 3.2.x around. I've just added that to the tree. New full stable list: =dev-ruby/rack-1.4.6 =dev-ruby/rack-1.5.4
amd64 stable
x86 stable
Stable for HPPA PPC64.
ppc stable
arm stable
alpha stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -rack-1.4.5-r1.ebuild, -rack-1.5.2-r1.ebuild: Remove vulnerable.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA Vote: No