XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
X-Debbugs-Cc:
[email protected]
Control: affects -1 + src:ruby-rack-session
User:
[email protected]
Usertags: unblock
Please unblock package ruby-rack-session
[ Reason ]
Grave bug #1104928.
[ Impact ]
Security issue enables session recovery.
[ Tests ]
The debdiff introduces a new test to check for the vulnerability.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I have handled this as NMU.
unblock ruby-rack-session/2.1.1-0.1
diff -Nru ruby-rack-session-2.1.0/debian/changelog ruby-rack-session-2.1.1/debian/changelog
--- ruby-rack-session-2.1.0/debian/changelog 2025-03-08 16:10:24.000000000 +0100
+++ ruby-rack-session-2.1.1/debian/changelog 2025-07-15 13:10:44.000000000 +0200
@@ -1,3 +1,10 @@
+ruby-rack-session (2.1.1-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream version 2.1.1. (Closes: #1104928, CVE-2025-46336)
+
+ -- Bastian Germann <
[email protected]> Tue, 15 Jul 2025 13:10:44 +0200
+
ruby-rack-session (2.1.0-1) unstable; urgency=medium
* New upstream version 2.1.0.
diff -Nru ruby-rack-session-2.1.0/lib/rack/session/pool.rb ruby-rack-session-2.1.1/lib/rack/session/pool.rb
--- ruby-rack-session-2.1.0/lib/rack/session/pool.rb 2025-01-04 08:40:54.000000000 +0100
+++ ruby-rack-session-2.1.1/lib/rack/session/pool.rb 2025-05-06 12:54:57.000000000 +0200
@@ -53,6 +53,7 @@
def write_session(req, session_id, new_session, options)
@mutex.synchronize do
+ return false unless get_session_with_fallback(session_id)
@pool.store session_id.pri