Update dependency rack to v2.2.13 [SECURITY] #191
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
@rultor please, try to merge |
@renovate[bot] @yegor256 Oops, I failed. You can see the full log here (spent 2min) |
renovate
bot
force-pushed
the
renovate/rubygems-rack-vulnerability
branch
from
1636787 to
07d527b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-rack-vulnerability
branch
from
07d527b to
74996e4
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-rack-vulnerability
branch
from
74996e4 to
48d248c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-rack-vulnerability
branch
from
48d248c to
b119d1f
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-rack-vulnerability
branch
from
b119d1f to
182cc40
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'2.1.4.1'->'2.2.13'GitHub Vulnerability Alerts
CVE-2022-44570
There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.
Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
CVE-2022-44572
There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
CVE-2022-44571
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
CVE-2023-27530
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
CVE-2023-27539
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1
Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.
CVE-2024-26146
Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
Credits
Thanks to svalkanov for reporting this and
providing patches!
CVE-2024-26141
Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the
Rack::Filemiddleware or theRack::Utils.byte_rangesmethods (this includes Rails applications).Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
Credits
Thank you ooooooo_q for the report and
patch
CVE-2024-25126
Summary
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
PoC
A simple HTTP request with lots of blank characters in the content-type header:
Impact
It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.
CVE-2025-25184
Summary
Rack::CommonLoggercan be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.Details
When a user provides the authorization credentials via
Rack::Auth::Basic, if success, the username will be put inenv['REMOTE_USER']and later be used byRack::CommonLoggerfor logging purposes.The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.
Impact
Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.
Mitigation
CVE-2025-27111
Summary
Rack::Sendfilecan be exploited by crafting input that includes newline characters to manipulate log entries.Details
The
Rack::Sendfilemiddleware logs unsanitized header values from theX-Sendfile-Typeheader. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.Impact
This vulnerability can distort log files, obscure attack traces, and complicate security auditing.
Mitigation
Rack::Sendfile.CVE-2025-27610
Summary
Rack::Staticcan serve files under the specifiedroot:even ifurls:are provided, which may expose other files under the specifiedroot:unexpectedly.Details
The vulnerability occurs because
Rack::Staticdoes not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.Impact
By exploiting this vulnerability, an attacker can gain access to all files under the specified
root:directory, provided they are able to determine then path of the file.Mitigation
Rack::Static, orroot:points at a directory path which only contains files which should be accessed publicly.It is likely that a CDN or similar static file server would also mitigate the issue.
Release Notes
rack/rack (rack)
v2.2.13Compare Source
Security
Rack::Static.v2.2.12Compare Source
Security
Rack::Sendfile.v2.2.11Compare Source
Security
Rack::CommonLogger.v2.2.10Compare Source
v2.2.9Compare Source
v2.2.8.1Compare Source
What's Changed
Full Changelog: rack/rack@v2.2.8...v2.2.8.1
v2.2.8Compare Source
v2.2.7Compare Source
v2.2.6.4Compare Source
v2.2.6.3Compare Source
v2.2.6.2Compare Source
v2.2.6.1Compare Source
v2.2.6Compare Source
v2.2.5Compare Source
Fixed
Rack::URLMapuses non-deprecated form ofRegexp.new. (#1998, @weizheheng)v2.2.4Compare Source
Rack::ETagmiddleware. (#1919, @ioquatix)v2.2.3.1Compare Source
Security
v2.2.3Compare Source
Security
v2.2.2Compare Source
Fixed
Rack::Request#hostvalue. (#1591, [@ioquatix])Rack::Handler::Thinimplementation. (#1583, [@jeremyevans])v2.2.1Compare Source
Security
Rack::Sendfile.v2.2.0Compare Source
SPEC Changes
rack.sessionrequest environment entry must respond toto_hashand return unfrozen Hash. ([@jeremyevans])Added
rackupsupports multiple-roptions and will require all arguments. ([@jeremyevans])Serversupports an array of paths to require for the:requireoption. (@khotta)Filessupports multipart range requests. (@fatkodima)Multipart::UploadedFilesupports an IO-like object instead of using the filesystem, using:filenameand:iooptions. ([@jeremyevans])Multipart::UploadedFilesupports keyword arguments:path,:content_type, and:binaryin addition to positional arguments. ([@jeremyevans])Staticsupports a:cascadeoption for calling the app if there is no matching file. ([@jeremyevans])Session::Abstract::SessionHash#dig. ([@jeremyevans])Response.[]andMockResponse.[]for creating instances using status, headers, and body. ([@ioquatix])Rack::Response. (#1555, [@ioquatix])Changed
Request#paramsno longer rescues EOFError. ([@jeremyevans])Directoryuses a streaming approach, significantly improving time to first byte for large directories. ([@jeremyevans])Directoryno longer includes a Parent directory link in the root directory index. ([@jeremyevans])QueryParser#parse_nested_queryuses original backtrace when reraising exception with new class. ([@jeremyevans])ConditionalGetfollows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. ([@jeremyevans]).rufiles supports thefrozen-string-literalmagic comment. (@eregon)Etagwill continue sending ETag even if the response should not be cached. Streaming no longer works without a workaround, see #1619. (@henm)Request#host_with_portno longer includes a colon for a missing or empty port. (@AlexWayfer)Fileshandling of range requests no longer return a body that supportsto_path, to ensure range requests are handled correctly. ([@jeremyevans])Multipart::Generatoronly includesContent-Lengthfor files with paths, andContent-Dispositionfilenameif theUploadedFileinstance has one. ([@jeremyevans])Request#ssl?is true for thewssscheme (secure websockets). ([@jeremyevans])Rack::HeaderHashis memoized by default. (#1549, [@ioquatix])Rack::Directoryallow directory traversal inside root directory. (#1417, @ThomasSevestre)Rack::Request.#hostand#host_with_porthave been changed to correctly return IPv6 addresses formatted with square brackets, as defined by RFC3986. (#1561, [@ioquatix])Rack::Builderparsing options on first#\line is deprecated. (#1574, [@ioquatix])Removed
Directory#pathas it was not used and always returned nil. ([@jeremyevans])BodyProxy#eachas it was only needed to work around a bug in Ruby <1.9.3. ([@jeremyevans])URLMap::INFINITYandURLMap::NEGATIVE_INFINITY, in favor ofFloat::INFINITY. (@ch1c0t)Rack::File. It will be deprecated again in rack 2.2 or 3.0. (@rafaelfranca)Rack::Files#response_bodyas the implementation was broken. (#1153, [@ioquatix])SERVER_ADDRwhich was never part of the original SPEC. (#1573, [@ioquatix])Fixed
Directorycorrectly handles root paths containing glob metacharacters. ([@jeremyevans])Cascadeuses a new response object for each call if initialized with no apps. ([@jeremyevans])BodyProxycorrectly delegates keyword arguments to the body object on Ruby 2.7+. ([@jeremyevans])BodyProxy#methodcorrectly handles methods delegated to the body object. ([@jeremyevans])Request#hostandRequest#host_with_porthandle IPv6 addresses correctly. (@AlexWayfer)Lintchecks when response hijacking thatrack.hijackis called with a valid object. ([@jeremyevans])Response#writecorrectly updatesContent-Lengthif initialized with a body. ([@jeremyevans])CommonLoggerincludesSCRIPT_NAMEwhen logging. (@Erol)Utils.parse_nested_querycorrectly handles empty queries, using an empty instance of the params class instead of a hash. ([@jeremyevans])Directorycorrectly escapes paths in links. (@yous)Request#delete_cookieand relatedUtilsmethods handle:domainand:pathoptions in same call. ([@jeremyevans])Request#delete_cookieand relatedUtilsmethods do an exact match on:domainand:pathoptions. ([@jeremyevans])Staticno longer adds headers when a gzipped file request has a 304 response. (@chooh)ContentLengthsetsContent-Lengthresponse header even for bodies not responding toto_ary. ([@jeremyevans])Thin::Controllers::Controller. ([@jeremyevans]):BindAddressoption. ([@jeremyevans])ShowExceptionshandles invalid POST data. ([@jeremyevans])Lintchecks response is array with 3 elements, per SPEC. ([@jeremyevans]):SSLEnableoption when using WEBrick handler. (Gregor Melhorn);as delimiter when parsing cookies. (@mrageh)Utils::HeaderHash#clearclears the name mapping as well. (@raxoft)nilRack::Files.new, which notably fixes Rails' currentActiveStorage::FileServerimplementation. ([@ioquatix])Documentation
v2.1.4.4Compare Source
What's Changed
Full Changelog: rack/rack@v2.1.4.3...v2.1.4.4
v2.1.4.3Compare Source
v2.1.4.2Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.