Debian Security Advisory
DLA-3264-1 ruby-sinatra -- LTS security update
- Date Reported:
- 10 Jan 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2022-45442.
- More information:
It was discovered that there was a potential reflected file download (RFD) vulnerability in ruby-sinatra, a Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a potentially user-supplied filename.
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
For Debian 10
Buster, this problem has been fixed in version 2.0.5-4+deb10u2.
We recommend that you upgrade your ruby-sinatra packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS