Bumps rack from 2.0.5 to 2.0.7. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16470.yml).*
> **Possible DoS vulnerability in Rack**
> There is a possible DoS vulnerability in the multipart parser in Rack. This
> vulnerability has been assigned the CVE identifier CVE-2018-16470.
>
> Versions Affected: 2.0.4, 2.0.5
> Not affected: <= 2.0.3
> Fixed Versions: 2.0.6
>
> Impact
> ------
> There is a possible DoS vulnerability in the multipart parser in Rack.
> Carefully crafted requests can cause the multipart parser to enter a
> pathological state, causing the parser to use CPU resources disproportionate to
> the request size.
>
> Impacted code can look something like this:
>
> ```
> Rack::Request.new(env).params
> ```
>
> ... (truncated)
>
> Patched versions: >= 2.0.6
> Unaffected versions: <= 2.0.3
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml).*
> **Possible XSS vulnerability in Rack**
> There is a possible vulnerability in Rack. This vulnerability has been
> assigned the CVE identifier CVE-2018-16471.
>
> Versions Affected: All.
> Not affected: None.
> Fixed Versions: 2.0.6, 1.6.11
>
> Impact
> ------
> There is a possible XSS vulnerability in Rack. Carefully crafted requests can
> impact the data returned by the `scheme` method on `Rack::Request`.
> Applications that expect the scheme to be limited to "http" or "https" and do
> not escape the return value could be vulnerable to an XSS attack.
>
> Vulnerable code looks something like this:
>
> ```
> <%= request.scheme.html_safe %>
> ```
>
> ... (truncated)
>
> Patched versions: \~> 1.6.11; >= 2.0.6
> Unaffected versions: none
Commits
- [`7fb95db`](https://github.com/rack/rack/commit/7fb95dbec28dc70f3cfbba0a684db0735d8ab2ca) Bumping to 2.0.7 for release
- [`ea57610`](https://github.com/rack/rack/commit/ea576109c1b9fd444e6f0e728f8db74c33786674) Merge pull request [#1343](https://github-redirect.dependabot.com/rack/rack/issues/1343) from larsxschneider/ls/forward-fix
- [`1bf2188`](https://github.com/rack/rack/commit/1bf218818502e820192a41c4da61aa0b0b6109af) Preserve forwarded IP address for trusted proxy chains
- [`cb1fdb6`](https://github.com/rack/rack/commit/cb1fdb600bc525258b3c34ea95f1598ee6def9c6) Merge pull request [#1201](https://github-redirect.dependabot.com/rack/rack/issues/1201) from janko-m/make-multipart-parsing-work-for-chunked...
- [`8376dd1`](https://github.com/rack/rack/commit/8376dd11e6526a53432ee59b7a5d092bda9fc901) Bumping version for release
- [`313dd6a`](https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7) Whitelist http/https schemes
- [`37c1160`](https://github.com/rack/rack/commit/37c1160b2360074d20858792f23a7eb3afeabebd) Reduce buffer size to avoid pathological parsing
- [`99fea65`](https://github.com/rack/rack/commit/99fea65cc04eaaad8e59b1a78440a2616e0dc55a) Merge tag '2.0.5' into 2-0-stable
- [`216b7ca`](https://github.com/rack/rack/commit/216b7cad1baa65ba1213ae51c85776928d6e2d86) Merge pull request [#1296](https://github-redirect.dependabot.com/rack/rack/issues/1296) from tomelm/fix-prefers-plaintext
- See full diff in [compare view](https://github.com/rack/rack/compare/2.0.5...2.0.7)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in the `.dependabot/config.yml` file in this repo:
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps rack from 2.0.5 to 2.0.7. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16470.yml).* > **Possible DoS vulnerability in Rack** > There is a possible DoS vulnerability in the multipart parser in Rack. This > vulnerability has been assigned the CVE identifier CVE-2018-16470. > > Versions Affected: 2.0.4, 2.0.5 > Not affected: <= 2.0.3 > Fixed Versions: 2.0.6 > > Impact > ------ > There is a possible DoS vulnerability in the multipart parser in Rack. > Carefully crafted requests can cause the multipart parser to enter a > pathological state, causing the parser to use CPU resources disproportionate to > the request size. > > Impacted code can look something like this: > > ``` > Rack::Request.new(env).params > ``` > > ... (truncated) > > Patched versions: >= 2.0.6 > Unaffected versions: <= 2.0.3 *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml).* > **Possible XSS vulnerability in Rack** > There is a possible vulnerability in Rack. This vulnerability has been > assigned the CVE identifier CVE-2018-16471. > > Versions Affected: All. > Not affected: None. > Fixed Versions: 2.0.6, 1.6.11 > > Impact > ------ > There is a possible XSS vulnerability in Rack. Carefully crafted requests can > impact the data returned by the `scheme` method on `Rack::Request`. > Applications that expect the scheme to be limited to "http" or "https" and do > not escape the return value could be vulnerable to an XSS attack. > > Vulnerable code looks something like this: > > ``` > <%= request.scheme.html_safe %> > ``` > > ... (truncated) > > Patched versions: \~> 1.6.11; >= 2.0.6 > Unaffected versions: noneCommits
- [`7fb95db`](https://github.com/rack/rack/commit/7fb95dbec28dc70f3cfbba0a684db0735d8ab2ca) Bumping to 2.0.7 for release - [`ea57610`](https://github.com/rack/rack/commit/ea576109c1b9fd444e6f0e728f8db74c33786674) Merge pull request [#1343](https://github-redirect.dependabot.com/rack/rack/issues/1343) from larsxschneider/ls/forward-fix - [`1bf2188`](https://github.com/rack/rack/commit/1bf218818502e820192a41c4da61aa0b0b6109af) Preserve forwarded IP address for trusted proxy chains - [`cb1fdb6`](https://github.com/rack/rack/commit/cb1fdb600bc525258b3c34ea95f1598ee6def9c6) Merge pull request [#1201](https://github-redirect.dependabot.com/rack/rack/issues/1201) from janko-m/make-multipart-parsing-work-for-chunked... - [`8376dd1`](https://github.com/rack/rack/commit/8376dd11e6526a53432ee59b7a5d092bda9fc901) Bumping version for release - [`313dd6a`](https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7) Whitelist http/https schemes - [`37c1160`](https://github.com/rack/rack/commit/37c1160b2360074d20858792f23a7eb3afeabebd) Reduce buffer size to avoid pathological parsing - [`99fea65`](https://github.com/rack/rack/commit/99fea65cc04eaaad8e59b1a78440a2616e0dc55a) Merge tag '2.0.5' into 2-0-stable - [`216b7ca`](https://github.com/rack/rack/commit/216b7cad1baa65ba1213ae51c85776928d6e2d86) Merge pull request [#1296](https://github-redirect.dependabot.com/rack/rack/issues/1296) from tomelm/fix-prefers-plaintext - See full diff in [compare view](https://github.com/rack/rack/compare/2.0.5...2.0.7)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in the `.dependabot/config.yml` file in this repo: - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.