Bump rack from 1.6.4 to 1.6.13 #2
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [rack](https://github.com/rack/rack) from 1.6.4 to 1.6.13. - [Release notes](https://github.com/rack/rack/releases) - [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md) - [Commits](rack/rack@1.6.4...1.6.13) --- updated-dependencies: - dependency-name: rack dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Denial of Service Vulnerability in Rack Multipart Parsing: CVE-2022-30122 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.0.9.1 |
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.
Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.
Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:
params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data
p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
There are no feasible workarounds for this issue.
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Directory traversal in Rack::Directory app bundled with Rack: CVE-2020-8161 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.1.3 |
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names: CVE-2020-8184 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.1.4 |
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix.
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Rack has possible DoS Vulnerability in Multipart MIME parsing: CVE-2023-27530 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.0.9.3 |
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Denial of service via header parsing in Rack: CVE-2022-44570 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.0.9.2 |
There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.
Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.0 series
2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.1 series
2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.2 series
3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 3.0 series
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
| @@ -82,7 +82,7 @@ GEM | |||
| coderay (~> 1.1.0) | |||
| method_source (~> 0.8.1) | |||
| slop (~> 3.4) | |||
| rack (1.6.4) | |||
| rack (1.6.13) | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Critical |
| Issue | Possible shell escape sequence injection vulnerability in Rack: CVE-2022-30123 |
| Ecosystem | RubyGems |
| Dependency | rack |
| Dependency Paths | `` |
| Direct Dependency | No |
| Upgrade | 2.0.9.1 |
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.
Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:
use Rack::Lint
Or
use Rack::CommonLogger
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
Remove these middleware from your application
Would you like to exclude this security vulnerability from your status checks?
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here | Applies to this manifest in this request only |
Bumps rack from 1.6.4 to 1.6.13.
Commits
47a1fd7bump versionb8dc520Handle case where session id key is requested but it is missing698a060Merge pull request #1462 from jeremyevans/sessionid-to_sde902e4Merge branch '1-6-sec' into 1-6-stableb7d6546Bump versiond3e2f88making diff smaller99a8a87fix memcache tests on 1.6f2cb48efix tests on 1.67ff635cIntroduce a new base class to avoid breaking when upgrading3232f93Add a version prefix to the private id to make easier to migrate old valuesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.