The following CVEs were reported against src:ruby-rack.
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u2.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS