Skip to content
This repository has been archived by the owner on Dec 22, 2018. It is now read-only.

[Security] Bump rack from 2.0.5 to 2.0.6 #456

Merged
merged 1 commit into from Nov 7, 2018
Merged

[Security] Bump rack from 2.0.5 to 2.0.6 #456

merged 1 commit into from Nov 7, 2018

Conversation

greysteil
Copy link

Bumps rack from 2.0.5 to 2.0.6. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible XSS vulnerability in Rack
There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Patched versions: ~> 1.6.11; >= 2.0.6
Unaffected versions: none

Sourced from The Ruby Advisory Database.

Possible DoS vulnerability in Rack
There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Impacted code can look something like this:

Rack::Request.new(env).params

But any code that uses the multi-part parser may be vulnerable. Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well. All users running an affected release should either upgrade or use one of the workarounds immediately.

Patched versions: >= 2.0.6
Unaffected versions: <= 2.0.3

Commits
  • 8376dd1 Bumping version for release
  • 313dd6a Whitelist http/https schemes
  • 37c1160 Reduce buffer size to avoid pathological parsing
  • 99fea65 Merge tag '2.0.5' into 2-0-stable
  • 216b7ca Merge pull request #1296 from tomelm/fix-prefers-plaintext
  • See full diff in compare view

Dependabot compatibility score

I won't port across any more Dependabot PRs, as I don't want you to feel like I'm spamming you with them, but I'd still love you to use it. :octocat:

@dependabot-support
[Security] Bump rack from 2.0.5 to 2.0.6
32c1902 
Bumps [rack](https://github.com/rack/rack) from 2.0.5 to 2.0.6. **This update includes security fixes.**
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](rack/rack@2.0.5...2.0.6)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@coveralls
Copy link

Coverage Status

Coverage remained the same at 90.538% when pulling 32c1902 on greysteil:dependabot/bundler/rack-2.0.6 into 7a62fad on ivaldi:master.

@frenkel frenkel merged commit 32e6ccc into ivaldi:master Nov 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@greysteil @coveralls @frenkel @dependabot-support