[SECURITY] [DSA 6180-1] ruby-rack security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6180-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 26, 2026 https://www.debian.org/security/faq -...

CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to differences in XML document namespace parsing between REXML and Nokogiri, implemented in xmlsecurity.rb. An attacker can bypass authentication via Signature Wrapping attack...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in decoderawsaml, which does not sufficiently check the size of a compressed SAML response. An attacker can cause the application to consume excessive resources by sending a large...

PT-2019-4672 · Ruby +8 · Ruby +8

Name of the Vulnerable Software and Affected Versions: Ruby versions 2.4.7 and earlier, 2.5.x through 2.5.6, 2.6.x through 2.6.4 Description: The issue is related to a regular expression Denial of Service caused by looping/backtracking in the WEBrick::HTTPAuth::DigestAuth class in Ruby. This can ...