{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"rubygem-rack security update", "category":"general", "title":"Synopsis" }, { "text":"An update for rubygem-rack is now available for openEuler-22.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\n\nSecurity Fix(es):\n\nRack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.(CVE-2024-26146)", "category":"general", "title":"Description" }, { "text":"An update for rubygem-rack is now available for openEuler-22.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"rubygem-rack", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1686", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1686" }, { "summary":"CVE-2024-26146", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-26146&packageName=rubygem-rack" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26146" }, { "summary":"openEuler-SA-2025-1686 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1686.json" } ], "title":"An update for rubygem-rack is now available for openEuler-22.03-LTS-SP4", "tracking":{ "initial_release_date":"2025-06-27T21:43:21+08:00", "revision_history":[ { "date":"2025-06-27T21:43:21+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-06-27T21:43:21+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-06-27T21:43:21+08:00", "id":"openEuler-SA-2025-1686", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"rubygem-rack-2.2.3.1-8.oe2203sp4.noarch.rpm", "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.noarch.rpm" }, "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch.rpm", "name":"rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch.rpm" }, "name":"rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"rubygem-rack-2.2.3.1-8.oe2203sp4.src.rpm", "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.src.rpm" }, "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"rubygem-rack-2.2.3.1-8.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.noarch", "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch", "name":"rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"rubygem-rack-2.2.3.1-8.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.src", "name":"rubygem-rack-2.2.3.1-8.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-26146", "notes":[ { "text":"Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.src" ], "details":"rubygem-rack security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1686" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-help-2.2.3.1-8.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:rubygem-rack-2.2.3.1-8.oe2203sp4.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2024-26146" } ] }