[SECURITY] [DLA 3264-1] ruby-sinatra security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3264-1] ruby-sinatra security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 10 Jan 2023 19:00:22 +0000
Message-id: <[🔎] 167336515433.271685.5968231574823904852@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3264-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
January 10, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby-sinatra
Version        : 2.0.5-4+deb10u2
CVE ID         : CVE-2022-45442
Debian Bug     : 1025125

It was discovered that there was a potential reflected file download
(RFD) vulnerability in ruby-sinatra, a Ruby library for writing HTTP
applications. A Content-Disposition HTTP header was being incorrectly
derived from a potentially user-supplied filename.

For Debian 10 buster, this problem has been fixed in version
2.0.5-4+deb10u2.

We recommend that you upgrade your ruby-sinatra packages.

For the detailed security status of ruby-sinatra please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sinatra

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmO9hp8ACgkQHpU+J9Qx
HljTng//ap69CRstfigdy4BSIr1HDZvf1rPH8fpgGNVHfCsZvcgyXZAGBUlko6aw
Kld0A6kuAFfMzNsHlNF/BHoS7DNBn5Bq/pLiOPoyfxXaD+KN2X54A9qqQc++EnrM
2ZOdzExbqCpWqLnxU7ZTusjWMvBhjupiRLf1+VhPd2YSfcrYGD6jLLAsl6BqIaJ4
+Yy3G6PJmTUTO2upQI22MtWnh4VRWMbQrp9LZLg+1fBvOoFxxtkuGIH3jabJEN0F
HlgeHZk8NvmUvy5k3TyHmBVLrdohqShyzhl1LEo9ucz/k5xBbIS84X/WgdDgeq8f
woiyC8rV4ItQQTUsxaP74l6Q8I96ixm7N7ze02OW6Gluqd5ST2DBDJRB0K0BNK96
SLQ5Ma7Ebow9Dm11U8ik9uULzPzggSnFWUbjhIbpIAE7TraVqQGh33RCVTpjct5T
BXF7reoJQvDaN7X+Q8lZORktlprWGP8OGRn1ZAs9H0nwtlUeII/7HQLr9Ox6pjXG
s7AEazYfG3S3ATHTf5DWlCgEweVIuuZSo1J9FUNJSxOv6zHvBP8+nK5AVoYmT+/v
+uQjr2ZrHELFroNshO4G4grtcctqnwVBx5s+qZ0q44p6ZOgweeWG7mBr9AMisMEq
GAeuo0jAM5Wf2mgrA4w8V2fI/t2jo7OVKEUC462mMDKBzj0iLA4=
=JZ6o
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3265-1] exiv2 security update
Next by Date: [SECURITY] [DLA 3266-1] viewvc security update
Previous by thread: [SECURITY] [DLA 3265-1] exiv2 security update
Next by thread: [SECURITY] [DLA 3266-1] viewvc security update
Index(es):
- Date
- Thread