ELA-936-1 ruby-rack security update

denial of service

Version1.6.4-4+deb9u5 (stretch)
Related CVEs CVE-2023-27539

It was found out that a carefully crafted input can cause header parsing in Rack, a modular Ruby webserver interface, to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u5.

We recommend that you upgrade your ruby-rack packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.