🚨 [security] Update rack 2.2.3 → 2.2.8.1 (minor)
Welcome to Depfu
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗ ️ rack (indirect, 2.2.3 → 2.2.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Denial of Service Vulnerability in Rack Content-Type Parsing
There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
Carefully crafted content type headers can cause Rack’s media type parser to
take much longer than expected, leading to a possible denial of service
vulnerability.Impacted code will use Rack’s media type parser to parse content type headers.
This code will look like below:request.media_type OR request.media_type_params OR Rack::MediaType.type(content_type)Some frameworks (including Rails) call this code internally, so upgrading is
recommended!All users running an affected release should either upgrade or use one of the
workarounds immediately.Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
🚨 Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.Vulnerable applications will use the
Rack::Filemiddleware or the
Rack::Utils.byte_rangesmethods (this includes Rails applications).Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
🚨 Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue.Acceptand
Forwardedheaders are impacted.Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
🚨 Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1
Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.
🚨 Possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
🚨 Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2022-44570.Versions Affected: >= 1.5.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1Impact
Carefully crafted input can cause the Range header parsing component in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that deal with Range requests (such
as streaming applications, or applications that serve files) may be impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component
of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44572.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that parse multipart posts using
Rack (virtually all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44571.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts using Rack (virtually
all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:params = Rack::Multipart.parse_multipart(env)But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data p request.params # reads both query params and POST dataAll users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
There are no feasible workarounds for this issue.
🚨 Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:use Rack::LintOr
use Rack::CommonLoggerAll users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
Remove these middleware from your application
Release Notes
2.2.8.1
What's Changed
- Fixed ReDoS in Accept header parsing [CVE-2024-26146]
- Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
- Reject Range headers which are too large [CVE-2024-26141]
Full Changelog: v2.2.8...v2.2.8.1
2.2.7
What's Changed
- Correct the year number in the changelog by @kimulab in #2015
- Support underscore in host names for Rack 2.2 (Fixes #2070) by @jeremyevans in #2071
New Contributors
Full Changelog: v2.2.6.4...v2.2.7
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 50 commits:
bump versionAvoid 2nd degree polynomial regexp in MediaTypeReturn an empty array when ranges are too largeFixing ReDoS in header parsingBump patch version.Regenerate SPEC (#2102)Fix inefficient assert pattern in Rack::Lint (#2101)Prefer ubuntu-latest for testing. (#2095)Update cookie.rb (#2092)adds missing 2.2.7 to CHANGELOG.md (#2081)Limit file extension length of multipart tempfiles (#2069) (#2075)Bump patch version.Support underscore in host names for Rack 2.2 (Fixes #2070) (#2071)Merge branch '2-2-sec' into 2-2-stablebump versionAvoid ReDoS problemMerge branch '2-2-sec' into 2-2-stablebump versionLimit all multipart parts, not just filesCorrect the year in the changelog (#2015)bumping versionFix ReDoS in Rack::Utils.get_byte_rangesbump versionUpdate changelogFix ReDoS vulnerability in multipart parserForbid control characters in attributesBump patch version.Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2011)Remove leading dot to fix compatibility with latest cgi gem. (#1988)Update tests to work on latest Rubies. (#1999)Bump patch release.Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998)fixup changelogbump versionBetter handling of case-insensitive headers for `Rack::Etag` middleware. (#1919)Add 'custom exception on params too deep error' change to CHANGELOG. (#1914)Expect additional optional version segment in version test. (#1913)Merge branch '2-2-sec' into 2-2-stableupdate changelogbump versionEscape untrusted text when loggingRestrict broken mime parsingEnsure Rack::QueryParser::ParamsTooDeepError is inherited from RangeError. (#1864)Add Ruby 2.3 compatibility for tests, add Ruby 2.3 to CI. (#1863)Merge pull request #1839 from RubyElders/2-2-stable-ciReplace CircleCI with GitHub Actions.Newer rubies spec compatibility.Merge pull request #1838 from RubyElders/custom-range-exception-2-2Use custom exception on params too deep error.Don't ary.inspect in the lint assertions (backport) (#1765)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)