==========================================================================
Ubuntu Security Notice USN-7664-1
July 22, 2025

ruby-sinatra vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Sinatra.

Software Description:
- ruby-sinatra: Ruby web-development dressed in a DSL

Details:

It was discovered that Sinatra incorrectly handled serving static files.
An attacker could possibly use this issue to perform local file inclusion,
obtaining sensitive information.
(CVE-2022-29970)

It was discovered that Sinatra incorrectly handled special characters in
the Content-Disposition HTTP header. An attacker could possibly use this
issue to perform a reflected file download attack, achieving remote code
execution. (CVE-2022-45442)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  ruby-sinatra                    2.0.8.1-2+deb11u1build0.22.04.1

Ubuntu 20.04 LTS
  ruby-sinatra                    2.0.8.1-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ruby-sinatra                    1.4.8-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  ruby-sinatra                    1.4.7-3ubuntu0.1~esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7664-1
  CVE-2022-29970, CVE-2022-45442

Package Information:
  https://launchpad.net/ubuntu/+source/ruby-sinatra/2.0.8.1-2+deb11u1build0.22.04.1