SB2024072110 - openEuler 22.03 LTS SP1 update for rubygem-rack

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2022-44572)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing Content-Disposition header in lib/rack/multipart/parser.rb. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2024-26141)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Range request header in Rack. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Arbitrary code execution (CVE-ID: CVE-2016-4391)

The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness is due to insufficient input validation that lets attackers to execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code excution on the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1822