Debian Security Advisory

DLA-2275-1 ruby-rack -- LTS security update

Date Reported:
11 Jul 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 963477.
In Mitre's CVE dictionary: CVE-2020-8161, CVE-2020-8184.
More information:

The following CVEs were reported against src:ruby-rack.

  • CVE-2020-8161

    A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

  • CVE-2020-8184

    A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u2.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: