New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump rack from 2.0.5 to 2.0.6 in /api #86

Merged
merged 1 commit into from Nov 6, 2018

Conversation

Projects
None yet
3 participants
@greysteil

greysteil commented Nov 6, 2018

Bumps rack from 2.0.5 to 2.0.6. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible XSS vulnerability in Rack
There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Patched versions: ~> 1.6.11; >= 2.0.6
Unaffected versions: none

Sourced from The Ruby Advisory Database.

Possible DoS vulnerability in Rack
There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Impacted code can look something like this:

Rack::Request.new(env).params

But any code that uses the multi-part parser may be vulnerable. Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well. All users running an affected release should either upgrade or use one of the workarounds immediately.

Patched versions: >= 2.0.6
Unaffected versions: <= 2.0.3

Commits
  • 8376dd1 Bumping version for release
  • 313dd6a Whitelist http/https schemes
  • 37c1160 Reduce buffer size to avoid pathological parsing
  • 99fea65 Merge tag '2.0.5' into 2-0-stable
  • 216b7ca Merge pull request #1296 from tomelm/fix-prefers-plaintext
  • See full diff in compare view

Dependabot compatibility score

@seadowg - I know you can't use Dependabot for permissions reasons, but I still had it running on my fork so thought I'd port this one across.

[Security] Bump rack from 2.0.5 to 2.0.6 in /api
Bumps [rack](https://github.com/rack/rack) from 2.0.5 to 2.0.6. **This update includes security fixes.**
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](rack/rack@2.0.5...2.0.6)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@seadowg

This comment has been minimized.

Contributor

seadowg commented Nov 6, 2018

@greysteil thanks so much for still submitting these. Really helpful 👏

@seadowg seadowg merged commit ff3018e into pivotal:master Nov 6, 2018

1 check passed

ci/pivotal-cla Thank you for signing the Contributor License Agreement!
Details
@greysteil

This comment has been minimized.

greysteil commented Nov 6, 2018

You're welcome - it's really nice to be able to help out 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment