-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Mar 2026 09:44:22 +0530 Source: ruby-rack Built-For-Profiles: noudeb Architecture: source Version: 3.1.20-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Ruby Team Changed-By: Utkarsh Gupta Closes: 1128479 1128480 Changes: ruby-rack (3.1.20-0+deb13u1) trixie-security; urgency=high . * New upstream version 3.1.20. - CVE-2026-25500: XSS injection via malicious filename in `Rack::Directory`. (Closes: #1128480) - CVE-2026-22860: Directory traversal via root prefix bypass in `Rack::Directory`. (Closes: #1128479) Checksums-Sha1: 865b1adf6fb692d66d9c7e05c8032ef9b3842c4e 2392 ruby-rack_3.1.20-0+deb13u1.dsc 65bee2af59b08e4188e98ce097b4931dc4d17619 798434 ruby-rack_3.1.20.orig.tar.gz 7b6745c0db822442890bfeb98732bfebcbb3a4e4 7900 ruby-rack_3.1.20-0+deb13u1.debian.tar.xz 743c494144207c66b711998d15ea5186bbcf7d12 15907 ruby-rack_3.1.20-0+deb13u1_source.buildinfo Checksums-Sha256: 53d522076e02b0c7ef741926ca1ac0588ee5b4a8e8a3e9fb30d136d84ac0d775 2392 ruby-rack_3.1.20-0+deb13u1.dsc 6980815e884ba550b5d59a2feaa0a0d283813ae0a695bf35dde4a6242d418805 798434 ruby-rack_3.1.20.orig.tar.gz c841a32c7f15b891047f507f5174994441201a8e1cbc14290623092babb49a27 7900 ruby-rack_3.1.20-0+deb13u1.debian.tar.xz 7b17e77969fbbf1b0221ec9eb5855e9e1fafb52f670581036e7ca72250a3b2fc 15907 ruby-rack_3.1.20-0+deb13u1_source.buildinfo Files: 133f081b163f10ad7676715dadef92c4 2392 ruby optional ruby-rack_3.1.20-0+deb13u1.dsc c8f9aff604cefa4d204480294b03a3b6 798434 ruby optional ruby-rack_3.1.20.orig.tar.gz 377df216437a733dca0a793f08a81099 7900 ruby optional ruby-rack_3.1.20-0+deb13u1.debian.tar.xz 4226b3c780cb8b429c6d5cca23bbfe6d 15907 ruby optional ruby-rack_3.1.20-0+deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmnDDagTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlt8LEAClnufXzYXRh8vDEW1PfUA2BsKTx1fp dT4JJI+ukspwc1bJyiA4URMvJqaG2V4LIyhizftNaENNvq4emSV72Y3dQiL35vBb YpF2+7qnHkrqyUAu+6HsFWIPnIX2vdNKZxw6Estu4mGLNKhrM6ZI97OeuUWir1NC G/4i4bllc+n1Sf0o2NU5Bm0n2aXG5ZSWhNGsozuiMlScue86ZSSls8aK4KoqkUHA Rl6Ae0WWp9aUIFGjzPCcY4cz8aV/xME4o2JczFYhMSllH0lcTKgEdMi4w3KP+ivX yhHxblaMGsbO3s6BtdPT80qYgqblbeX6S6QN+MhreEEjr6sQ3eSHcTF5bHwcPHCG Yt0N8OS5vosC0lYqTMJkJqIcu8/cxw6Ug5++CCDTO7+d9LaxKwlwVgdPq7zBHMbi BboJC6bpUB34IB7CXt7gvaG/zFjUle3U2F1E9zCpkd98XR7swH1lpXKum77vpoF2 apns8RHsSc62jBbS5OOnvuHlFRX6J5tPCiqt0ZlVyhhSHVyniBq3X8kCYpmSwyxQ gKoaGKb0XQrw4CbF8b6PfUruiNKx3zJNM3iwHNWAJYv+IWt47LOQVni4EU+fU5o6 xvYCXWc2k9784/pGNUQcM/UmDyfjrfs3rgARvirlrTorFnGcpf8+DLJgAcp7q5iR RpUTxrYGbC+VHQ== =fTuB -----END PGP SIGNATURE-----