feat(logstash-9.1): bump dep to remediate GHSA-wpv5-97wm-hp9c, GHSA-w9pc-fmgc-vxvw and GHSA-p543-xpfm-54cp

[efbar]

Signed-off-by: Francesco Bartolini francesco.bartolini@chainguard.dev

Summary

Bump Rack dependency from 3.1.16 to 3.1.17 to remediate three high-severity vulnerabilities in Rack's multipart parser:

• GHSA-wpv5-97wm-hp9c: Unbounded memory accumulation when multipart header blocks never terminate
• GHSA-w9pc-fmgc-vxvw: Non-file form fields stored entirely in memory as String objects
• GHSA-p543-xpfm-54cp: Multipart preamble buffered in memory without size limits

All three vulnerabilities allow attackers to cause denial of service through memory exhaustion. The fix updates Rack to version 3.1.17 which adds proper size limits to multipart parsing operations.

Changes

• Updated Rack version constraint in Gemfile.jruby-3.1.lock.release from >= 3.1.16 to >= 3.1.17
• Added explicit Rack 3.1.17 requirement to Gemfile.template
• Incremented epoch to 1

[octo-sts]

🩹 Build Failed: Patch Application Failed

Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored -- saving rejects to file opt/iamguarded/scripts/liblogstash.sh.rej

Build Details

Category	Details
Build System	melange
Failure Point	patch -p1 command during iamguarded-compat subpackage build

Root Cause Analysis 🔍

A patch is being applied to opt/iamguarded/scripts/liblogstash.sh that has already been applied or is incompatible with the current file state. The patch system detected this and rejected the patch, causing the build pipeline to fail with exit status 1.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.