ruby-rack (1.6.4-3ubuntu0.2+esm8) xenial-security; urgency=medium

  * SECURITY UPDATE: Race condition with authentication sessions.
    - debian/patches/CVE-2025-32441.patch: Add get_session_with_fallback()
      check and pool.store in ./lib/rack/session/pool.rb.
    - CVE-2025-32441

 -- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>  Thu, 08 May 2025 18:38:29 -0230

ruby-rack (1.6.4-3ubuntu0.2+esm7) xenial-security; urgency=medium

  * debian/tests/control: remove ruby-memcache-client from dependency list
    to fix failing autopkgtests
  * SECURITY UPDATE: injection vulnerabilities
    - debian/patches/CVE-2025-25184.patch: Escape non-printable
      characters when logging.
    - debian/patches/CVE-2025-27111.patch: Use `#inspect` to prevent log
      injection.
    - CVE-2025-25184
    - CVE-2025-27111
  * SECURITY UPDATE: path traversal vulnerability
    - debian/patches/CVE-2025-27610-pre.patch: fixing support for
      directories that have + in the name
    - debian/patches/CVE-2025-27610.patch: Use a fully resolved file
      path when confirming if a file can be served by `Rack::Static`.
    - CVE-2025-27610

 -- Shishir Subedi <shishir.subedi@canonical.com>  Fri, 14 Mar 2025 12:20:57 +0545

ruby-rack (1.6.4-3ubuntu0.2+esm6) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service due to large server responses
    - debian/patches/CVE-2024-26141.patch: Return an empty array when
    ranges are too large
    - CVE-2024-26141
  * SECURITY UPDATE: regular expression denial of service
    - debian/patches/CVE-2024-26146.patch: Fixing ReDoS in header
    parsing
    - CVE-2024-26146

 -- Bruce Cable <bruce.cable@canonical.com>  Tue, 13 Aug 2024 15:49:26 +1000

ruby-rack (1.6.4-3ubuntu0.2+esm5) xenial-security; urgency=medium

  * SECURITY UPDATE: Regular expression denial of service
    - debian/patches/CVE-2023-27539.patch: Fixes ReDos by replacing regular
      expression with string literal and whitespace trimming
    - CVE-2023-27539

 -- Bruce Cable <bruce.cable@canonical.com>  Fri, 19 Jul 2024 13:05:26 +1000

ruby-rack (1.6.4-3ubuntu0.2+esm4) xenial-security; urgency=medium

  * SECURITY UPDATE: uncontrolled resource consumption due to inefficient
    regular expression complexity
    - debian/patches/CVE-2022-44570.patch: fix ReDoS in
      Rack::Utils.get_byte_ranges.
    - debian/patches/CVE-2022-44571-pre1.patch: fix bug in parsing of
      Content-Disposition header where an unquoted name at end-of-line sucked
      in the trailing newline.
    - debian/patches/CVE-2022-44571-pre2.patch: when parsing the name
      parameter of Content-Disposition, support quoted chars in the
      quoted-string case.
    - debian/patches/CVE-2022-44571.patch: fix ReDoS vulnerability in
      multipart parser.
    - CVE-2022-44570
    - CVE-2022-44571

 -- Camila Camargo de Matos <camila.camargodematos@canonical.com>  Thu, 02 Mar 2023 09:43:57 -0300

ruby-rack (1.6.4-3ubuntu0.2+esm2) xenial-security; urgency=medium

  * SECURITY UPDATE: uncontrolled resource consumption due to parsing through
    regular expression
    - debian/patches/CVE-2022-30122.patch: restrict broken mime parsing.
    - CVE-2022-30122
  * SECURITY UPDATE: improper neutralization of characters processed by Lint
    and CommonLogger components 
    - debian/patches/CVE-2022-30123.patch: escape untrusted text when logging
    - CVE-2022-30123

 -- Camila Camargo de Matos <camila.camargodematos@canonical.com>  Mon, 12 Dec 2022 11:30:13 -0300

ruby-rack (1.6.4-3ubuntu0.2+esm1) xenial-security; urgency=medium

  * SECURITY UPDATE: Information leak leading to session hijack vulnerability
    in Rack.
    - debian/patches/CVE-2019-16782.patch: Use separate public and private
      session id.
    - CVE-2019-16782

 -- Spyros Seimenis <spyros.seimenis@canonical.com>  Tue, 25 Jan 2022 20:00:23 +0200

ruby-rack (1.6.4-3ubuntu0.2) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
      Dir[glob] to prevent user-specified glob metacharacters.
    - CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
      decode the values.
    - CVE-2020-8184

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Thu, 01 Apr 2021 12:43:47 +0200

ruby-rack (1.6.4-3ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Crafted requests can impact the data returned by the scheme
    method on Rack::Request leading to an XSS attack. 
    - debian/patches/CVE-2018-16471.patch: whitelist http/https schemes.
    - CVE-2018-16471

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Tue, 06 Aug 2019 11:38:00 -0300

ruby-rack (1.6.4-3) unstable; urgency=medium

  * Team upload
  * Bump compat. version to 9
  * Update Debian packaging using dh-make-ruby
  * d/control:
      Update Vcs-* fields (switch to cgit and https everywhere)
      Bump Standards-Version to 3.9.7 (no changes)
      Move to ruby-dalli (memcache-client is deprecated)
        ROM for ruby-memcache-client
        https://github.com/rack/rack/issues/1025
      Remove librack-ruby* relations (those packages are long gone)

 -- Sebastien Badia <seb@sebian.fr>  Thu, 03 Mar 2016 16:24:53 -0300

ruby-rack (1.6.4-2) unstable; urgency=medium

  * Upload to unstable

 -- Antonio Terceiro <terceiro@debian.org>  Sat, 12 Dec 2015 16:08:31 -0200

ruby-rack (1.6.4-1) experimental; urgency=medium

  * Team upload
  * New upstream release
  * Refresh patch (part merged upstream)

 -- Pirate Praveen <praveen@debian.org>  Fri, 07 Aug 2015 01:16:26 +0530

ruby-rack (1.5.2-4) unstable; urgency=medium

  * Add patch: Fix upstream Issue 631
    - uninitialized constant Rack::Response::BodyProxy
  * Create cherry-picked patch for Security Fix (Closes: #789311)
    - CVE-2015-3225: 1-4-deep_params.patch

 -- Youhei SASAKI <uwabami@gfd-dennou.org>  Wed, 29 Jul 2015 17:32:29 +0900

ruby-rack (1.5.2-3) unstable; urgency=medium

  * add myself to Uploaders:
  * debian/ruby-tests.rake: run all tests instead of a subset of them
  * debian/tests/control: add a gem2deb-test-runner test

 -- Antonio Terceiro <terceiro@debian.org>  Fri, 17 Oct 2014 09:41:28 -0300

ruby-rack (1.5.2-2) unstable; urgency=medium

  * Team upload.
  * Rebuild with recent gem2deb to make package visible to Rubygems on all
    Ruby interpreters
  * Drop transitional packages
  * Add autopkgtest smoke test

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 24 Jul 2014 19:24:55 -0300

ruby-rack (1.5.2-1) unstable; urgency=low

  * Team upload.

  [ Cédric Boutillier ]
  * debian/control: remove obsolete DM-Upload-Allowed flag
  * use canonical URI in Vcs-* fields

  [ Christian Hofstaedtler ]
  * New upstream release.
  * Removed all patches, already applied upstream.

 -- Christian Hofstaedtler <christian@hofstaedtler.name>  Mon, 03 Jun 2013 15:56:09 +0200

ruby-rack (1.4.1-2.1) unstable; urgency=high

  [ KURASHIKI Satoru ]
  * Non-maintainer upload.
  * Create cherry-picked patches for Security Fix (Closes: #700173 #700226).
    - CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch
    - CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch

  [ Youhei SASAKI ]
  * Create cherry-picked patches for Security Fix (Closes: #698440).
    - CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
    - CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
    - CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch

 -- KURASHIKI Satoru <lurdan@gmail.com>  Wed, 20 Feb 2013 20:56:31 +0900

ruby-rack (1.4.1-2) unstable; urgency=low

  * Bump build dependency on gem2deb to >= 0.3.0~

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 25 Jun 2012 15:07:51 -0300

ruby-rack (1.4.1-1) unstable; urgency=low

  * New Upstream version 1.4.1
  * Bump standard version: 3.9.3
  * Add Build-Depends: rake, bacon, ruby-memcache-client, thin
  * Add d/s/local-options: Update patch handling
  * Update ruby-tests.rb to ruby-tests.rake: running full test

 -- Youhei SASAKI <uwabami@gfd-dennou.org>  Wed, 07 Mar 2012 01:00:16 +0900

ruby-rack (1.4.0-1) unstable; urgency=low

  * New upstream release (closes: #653963).

 -- Paul van Tilburg <paulvt@debian.org>  Tue, 03 Jan 2012 22:39:13 +0100

ruby-rack (1.3.5-1) unstable; urgency=low

  * New upstream release.
  * Fix my email address.
  * Fix priority of transitional packages.
  * TESTS ARE DISABLED: many dependencies required for tests are not
    packaged yet.

 -- Lucas Nussbaum <lucas@debian.org>  Wed, 21 Dec 2011 10:52:37 +0100

ruby-rack (1.3.1-1) unstable; urgency=low

  * New upstream release: 1.3.1
  * Bump Standard version: 3.9.2
  * Add me to Uploaders
  * Add ruby-bacon to Build-Depends
  * Add manpage for rackup Closes: #606910
    - Thanks to Glido Fiorito <fiorito.g@gmail.com>

 -- Youhei SASAKI <uwabami@gfd-dennou.org>  Tue, 26 Jul 2011 00:57:23 +0900

ruby-rack (1.2.2-2) unstable; urgency=low

  * Add transitional packages from librack-ruby.

 -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Tue, 26 Apr 2011 16:34:08 +0200

ruby-rack (1.2.2-1) unstable; urgency=low

  * Switch to gem2deb-based packaging. Rename source and binary package.
  * libopenssl-ruby was merged in the main ruby package. Closes: #574960
    Closes: #592416.
  * new upstream release.
  * TESTS ARE DISABLED: many dependencies required for tests are not
    packaged yet.

 -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Tue, 26 Apr 2011 15:44:15 +0200

librack-ruby (1.1.0-4) unstable; urgency=low

  * Team upload.
  * This package is now maintained within the Debian/Ruby Extras team.
  * debian/control:
    - Added the team (and myself) to the uploaders.
    - Updated the Vcs-* fields.
  * Version the dependency between librack-ruby and librack-ruby1.8.
    Closes: #583553
  * Rename the 1.9.1 binary to rackup1.9.1

 -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Sat, 18 Sep 2010 08:31:46 +0200

librack-ruby (1.1.0-3) unstable; urgency=low

  * adopt package
  * add Conflicts/Replaces from librack-ruby1.9.1 to librack-ruby1.9
    because of /usr/bin/rackup1.9 (Closes: #570435)

 -- Ryan Niebur <ryan@debian.org>  Sat, 13 Mar 2010 12:14:56 -0800

librack-ruby (1.1.0-2) unstable; urgency=low

  * Move to ruby1.9.1 (Closes: #569884).
  * Removed unused lintian override.
  * Bumped up Standards-Version.

 -- Sebastien Delafond <seb@debian.org>  Mon, 15 Feb 2010 19:42:49 +0100

librack-ruby (1.1.0-1) unstable; urgency=low

  * New upstream release.

 -- Sebastien Delafond <seb@debian.org>  Fri, 08 Jan 2010 18:50:25 +0100

librack-ruby (1.0.1-1) unstable; urgency=low

  * New upstream release.
  * Bumped up Standards revision.
  * Moved to CDBS.
  * Lintian cleanups.

 -- Sebastien Delafond <seb@debian.org>  Wed, 21 Oct 2009 11:36:29 +0200

librack-ruby (1.0.0-1) unstable; urgency=low

  * New upstream release.
  * Added debian/watch file.
  * Bumped up Standards version to 3.8.1.
  * BUmped up debhelper compat level to 6.
  * Moved to section "ruby".
  * Added proper versioned dependency on debhelper (for dh_lintian).
  * Updated short description for librack-ruby1.8.

 -- Sebastien Delafond <seb@debian.org>  Tue, 28 Apr 2009 02:14:00 -0700

librack-ruby (0.9.1-1) unstable; urgency=low

  * New upstream release (Closes: #516855).

 -- Sebastien Delafond <seb@debian.org>  Mon, 23 Feb 2009 19:29:20 -0800

librack-ruby (0.3.0-2) unstable; urgency=low

  * Corrected short description for librack-ruby1.8

 -- Sebastien Delafond <seb@debian.org>  Wed, 07 May 2008 14:13:26 -0700

librack-ruby (0.3.0-1) unstable; urgency=low

  * Initial Release (Closes: #480035).

 -- Sebastien Delafond <seb@debian.org>  Wed, 07 May 2008 11:28:30 -0700

