Skip to content

Bump rack from 1.6.4 to 1.6.13 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump rack from 1.6.4 to 1.6.13 #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ GEM
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
rack (1.6.4)
rack (1.6.13)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity High
Issue Denial of Service Vulnerability in Rack Multipart Parsing: CVE-2022-30122
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.0.9.1

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.

Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

But it also includes reading POST data from a Rack request object like this:

p request.POST # read POST data
p request.params # reads both query params and POST data

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity High
Issue Directory traversal in Rack::Directory app bundled with Rack: CVE-2020-8161
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.1.3

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity High
Issue Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names: CVE-2020-8184
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.1.4

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix.

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity High
Issue Rack has possible DoS Vulnerability in Multipart MIME parsing: CVE-2023-27530
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.0.9.3

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

Impact

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

A proxy can be configured to limit the POST body size which will mitigate this issue.

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity High
Issue Denial of service via header parsing in Rack: CVE-2022-44570
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.0.9.2

There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.

Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact

Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.0 series
2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.1 series
2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.2 series
3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 3.0 series

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity Critical
Issue Possible shell escape sequence injection vulnerability in Rack: CVE-2022-30123
Ecosystem RubyGems
Dependency rack
Dependency Paths ``
Direct Dependency No
Upgrade 2.0.9.1

There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.

Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:

use Rack::Lint

Or

use Rack::CommonLogger

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

Remove these middleware from your application

Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_ignore_manifest_here Applies to this manifest in this request only

rack-oauth2 (1.2.2)
activesupport (>= 2.3)
attr_required (>= 0.0.5)
Expand Down