Debian Security Advisory

DLA-3264-1 ruby-sinatra -- LTS security update

Date Reported:
10 Jan 2023
Affected Packages:
ruby-sinatra
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2022-45442.
More information:

It was discovered that there was a potential reflected file download (RFD) vulnerability in ruby-sinatra, a Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a potentially user-supplied filename.

  • CVE-2022-45442

    Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

For Debian 10 Buster, this problem has been fixed in version 2.0.5-4+deb10u2.

We recommend that you upgrade your ruby-sinatra packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS