ELA-1354-1 ruby-rack security update

multiple vulnerabilities

2025-03-24
Packageruby-rack
Version1.6.4-4+deb9u7 (stretch), 2.0.6-3+deb10u5 (buster)
Related CVEs CVE-2025-25184 CVE-2025-27111 CVE-2025-27610


Multiple vulnerabilities have been fixed in ruby-rack, an interface for developing web applications in Ruby.

CVE-2025-25184

Log Injection in Rack::CommonLogger

CVE-2025-27111

Log Injection in Rack::Sendfile

CVE-2025-27610

Local file inclusion in Rack::Static


For Debian 10 buster, these problems have been fixed in version 2.0.6-3+deb10u5.

For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u7.

We recommend that you upgrade your ruby-rack packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.