diff -Nru ruby-rack-1.6.4/debian/changelog ruby-rack-1.6.4/debian/changelog
--- ruby-rack-1.6.4/debian/changelog	2019-08-06 14:20:40.000000000 +0000
+++ ruby-rack-1.6.4/debian/changelog	2020-09-30 15:08:48.000000000 +0000
@@ -1,3 +1,17 @@
+ruby-rack (1.6.4-4ubuntu0.2) bionic-security; urgency=medium
+
+  * Merge patches from Debian.
+  * SECURITY UPDATE: Directory traversal vulnerability.
+    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
+      Dir[glob] to prevent user-specified glob metacharacters.
+    - CVE-2020-8161
+  * SECURITY UPDATE: Cookie forgery.
+    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
+      decode the values.
+    - CVE-2020-8184
+
+ -- Eduardo Barretto <eduardo.barretto@canonical.com>  Wed, 30 Sep 2020 12:08:48 -0300
+
 ruby-rack (1.6.4-4ubuntu0.1) bionic-security; urgency=medium
 
   * SECURITY UPDATE: Crafted requests can impact the data returned by the scheme
diff -Nru ruby-rack-1.6.4/debian/patches/CVE-2020-8161.patch ruby-rack-1.6.4/debian/patches/CVE-2020-8161.patch
--- ruby-rack-1.6.4/debian/patches/CVE-2020-8161.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-rack-1.6.4/debian/patches/CVE-2020-8161.patch	2020-09-30 15:08:23.000000000 +0000
@@ -0,0 +1,25 @@
+From dddb7ad18ed79ca6ab06ccc417a169fde451246e Mon Sep 17 00:00:00 2001
+From: Jack McCracken <jack.mccracken@shopify.com>
+Date: Tue, 12 May 2020 12:23:33 -0400
+Subject: [PATCH] Use Dir.entries instead of Dir[glob] to prevent
+ user-specified glob metacharacters.
+ [CVE-2020-8161]
+
+--- a/lib/rack/directory.rb
++++ b/lib/rack/directory.rb
+@@ -78,13 +78,13 @@
+ 
+     def list_directory
+       @files = [['../','Parent Directory','','','']]
+-      glob = F.join(@path, '*')
+ 
+       url_head = (@script_name.split('/') + @path_info.split('/')).map do |part|
+         Rack::Utils.escape part
+       end
+ 
+-      Dir[glob].sort.each do |node|
++      Dir.entries(@path).reject { |e| e.start_with?('.') }.sort.each do |node|
++        node = F.join path, node
+         stat = stat(node)
+         next  unless stat
+         basename = F.basename(node)
diff -Nru ruby-rack-1.6.4/debian/patches/CVE-2020-8184.patch ruby-rack-1.6.4/debian/patches/CVE-2020-8184.patch
--- ruby-rack-1.6.4/debian/patches/CVE-2020-8184.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-rack-1.6.4/debian/patches/CVE-2020-8184.patch	2020-09-30 15:08:13.000000000 +0000
@@ -0,0 +1,42 @@
+From 1ea406d593bfa88ef18b4b4a1cb30e422a342202 Mon Sep 17 00:00:00 2001
+From: Orhan Toy <toyorhan@gmail.com>
+Date: Mon, 29 Jun 2020 21:47:05 +0200
+Subject: [PATCH] Backport (1.6) fix for CVE-2020-8184
+
+This is essentially a copy of 1f5763de6a9fe515ff84992b343d63c88104654c tweaked for the 1-6-stable branch.
+---
+ lib/rack/request.rb  | 8 ++++++--
+ test/spec_request.rb | 5 +++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/lib/rack/request.rb
++++ b/lib/rack/request.rb
+@@ -304,8 +304,12 @@
+       #   the Cookie header such that those with more specific Path attributes
+       #   precede those with less specific.  Ordering with respect to other
+       #   attributes (e.g., Domain) is unspecified.
+-      cookies = Utils.parse_query(string, ';,') { |s| Rack::Utils.unescape(s) rescue s }
+-      cookies.each { |k,v| hash[k] = Array === v ? v.first : v }
++      return {} unless string
++      string.split(/[;,] */n).each do |cookie|
++        next if cookie.empty?
++        key, value = cookie.split('=', 2)
++        hash[key] = (Rack::Utils.unescape(value) rescue value) unless hash.key?(key)
++      end
+       @env["rack.request.cookie_string"] = string
+       hash
+     end
+--- a/test/spec_request.rb
++++ b/test/spec_request.rb
+@@ -553,6 +553,11 @@
+     req.cookies["foo"].should == "%"
+   end
+ 
++  should "parsing cookies should only decode the values" do
++    req = Rack::Request.new Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar")
++    req.cookies.should.equal '%66oo' => 'baz', 'foo' => 'bar'
++  end
++
+   should "parse cookies according to RFC 2109" do
+     req = Rack::Request.new \
+       Rack::MockRequest.env_for('', 'HTTP_COOKIE' => 'foo=bar;foo=car')
diff -Nru ruby-rack-1.6.4/debian/patches/series ruby-rack-1.6.4/debian/patches/series
--- ruby-rack-1.6.4/debian/patches/series	2019-08-06 14:20:29.000000000 +0000
+++ ruby-rack-1.6.4/debian/patches/series	2020-09-30 15:08:23.000000000 +0000
@@ -1,2 +1,4 @@
 0001-Fix-Params_Depth.patch
 CVE-2018-16471.patch
+CVE-2020-8184.patch
+CVE-2020-8161.patch