Описание
Security update for hawk2
This update for hawk2 fixes the following issues:
- Bump ruby gem rack to 3.1.18 (bsc#1251939).
- Bump ruby gem uri to 1.0.4.
- Fix the mtime in manifest.json (bsc#1230275).
- Make builds determinitstic (bsc#1230275).
- Bump rails version from 8.0.2 to 8.0.2.1 (bsc#1248100).
- Require openssl explicitly (bsc#1247899).
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1230275
- SUSE Bug 1247899
- SUSE Bug 1248100
- SUSE Bug 1251939
- SUSE CVE CVE-2025-55193 page
- SUSE CVE CVE-2025-61919 page
Описание
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.
Затронутые продукты
Ссылки
- CVE-2025-55193
- SUSE Bug 1248099
Описание
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
Затронутые продукты
Ссылки
- CVE-2025-61919
- SUSE Bug 1251934