Security update for rubygem-rack

Announcement ID:	SUSE-SU-2025:01586-2
Release Date:	2025-06-03T09:17:07Z
Rating:	important
References:	bsc#1242894 bsc#1242899
Cross-References:	CVE-2025-32441 CVE-2025-46727
CVSS scores:	CVE-2025-32441 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-32441 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2025-32441 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2025-46727 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-46727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-46727 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Availability Extension 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves two vulnerabilities can now be installed.

Description:

This update for rubygem-rack fixes the following issues:

• CVE-2025-46727: possible memory exhaustion due to unbounded parameter parsing in Rack::QueryParser (bsc#1242894).
• CVE-2025-32441: deleted sessions can be restored and occupied by unauthenticated users when the Rack::Session::Pool middleware is being used (bsc#1242899).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Availability Extension 15 SP7
  zypper in -t patch SUSE-SLE-Product-HA-15-SP7-2025-1586=1

Package List:

• SUSE Linux Enterprise High Availability Extension 15 SP7 (aarch64 ppc64le s390x x86_64)
  • ruby2.5-rubygem-rack-2.0.8-150000.3.31.1

References:

• https://www.suse.com/security/cve/CVE-2025-32441.html
• https://www.suse.com/security/cve/CVE-2025-46727.html
• https://bugzilla.suse.com/show_bug.cgi?id=1242894
• https://bugzilla.suse.com/show_bug.cgi?id=1242899