USN-8190-1: Rack::Session vulnerability
Publication date
20 April 2026
Overview
Rack::Session could allow unintended access to network services.
Releases
Packages
- ruby-rack-session - Session management implementation for Rack
Details
SeungMyung Lee discovered that Rack::Session did not properly reject
cookies upon decryption failure. A remote attacker could use this issue to
manipulate session contents and possibly gain unauthorized access.
SeungMyung Lee discovered that Rack::Session did not properly reject
cookies upon decryption failure. A remote attacker could use this issue to
manipulate session contents and possibly gain unauthorized access.
Update instructions
After a standard system update you need to restart ruby-rack-session to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.10 questing | ruby-rack-session – 2.1.1-0.1ubuntu0.1 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.