From: carnil@debian.org 
  
 Source: ruby-rack 
 Version: 3.1.16-0.1 
 Severity: grave 
 Tags: security upstream 
 Justification: user security hole 
 X-Debbugs-Cc: carnil@debian.org, Debian Security Team  
 Control: found -1 2.2.13-1~deb12u1 
  
 Hi, 
  
 The following vulnerability was published for ruby-rack. 
  
 CVE-2025-61919[0]: 
 | Rack is a modular Ruby web server interface. Prior to versions 
 | 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire 
 | request body into memory for `Content-Type: application/x-www-form- 
 | urlencoded`, calling `rack.input.read(nil)` without enforcing a 
 | length or cap. Large request bodies can therefore be buffered 
 | completely into process memory before parsing, leading to denial of 
 | service (DoS) through memory exhaustion. Users should upgrade to 
 | Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form 
 | parameter limits using `query_parser.bytesize_limit`, preventing 
 | unbounded reads of `application/x-www-form-urlencoded` bodies. 
 | Additionally, enforce strict maximum body size at the proxy or web 
 | server layer (e.g., Nginx `client_max_body_size`, Apache 
 | `LimitRequestBody`). 
  
  
 If you fix the vulnerability please also make sure to include the 
 CVE (Common Vulnerabilities & Exposures) id in your changelog entry. 
  
 For further information see: 
  
 [0] https://security-tracker.debian.org/tracker/CVE-2025-61919 
     https://www.cve.org/CVERecord?id=CVE-2025-61919 
 [1] https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm 
 [2] https://github.com/rack/rack/commit/e179614c4a653283286f5f04 
 428cbb85f21146f 
 [3] https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30 
 3718ce2e124f9db 
 [4] https://github.com/rack/rack/commit/4e2c903991a790ee211a3021 
 08ff4fd6fe82881 
  
 Regards, 
 Salvatore 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)