search

ivaldi / brimir

Email helpdesk built using Ruby on Rails and Zurb Foundation
http://getbrimir.com
GNU Affero General Public License v3.0
1.38k stars 299 forks source link

[Security] Bump rack from 2.0.5 to 2.0.6 #456

Closed greysteil closed 5 years ago

greysteil commented 5 years ago

Bumps rack from 2.0.5 to 2.0.6. This update includes security fixes.

Vulnerabilities fixed *Sourced from The Ruby Advisory Database.* > **Possible XSS vulnerability in Rack** > There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack. > > Vulnerable code looks something like this: > > ``` > <%= request.scheme.html_safe %> > ``` > > Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. > > All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: \~> 1.6.11; >= 2.0.6 > Unaffected versions: none *Sourced from The Ruby Advisory Database.* > **Possible DoS vulnerability in Rack** > There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Impacted code can look something like this: > > ``` > Rack::Request.new(env).params > ``` > > But any code that uses the multi-part parser may be vulnerable. Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well. All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: >= 2.0.6 > Unaffected versions: <= 2.0.3
Commits - [`8376dd1`](https://github.com/rack/rack/commit/8376dd11e6526a53432ee59b7a5d092bda9fc901) Bumping version for release - [`313dd6a`](https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7) Whitelist http/https schemes - [`37c1160`](https://github.com/rack/rack/commit/37c1160b2360074d20858792f23a7eb3afeabebd) Reduce buffer size to avoid pathological parsing - [`99fea65`](https://github.com/rack/rack/commit/99fea65cc04eaaad8e59b1a78440a2616e0dc55a) Merge tag '2.0.5' into 2-0-stable - [`216b7ca`](https://github.com/rack/rack/commit/216b7cad1baa65ba1213ae51c85776928d6e2d86) Merge pull request [#1296](https://github-redirect.dependabot.com/rack/rack/issues/1296) from tomelm/fix-prefers-plaintext - See full diff in [compare view](https://github.com/rack/rack/compare/2.0.5...2.0.6)


Dependabot compatibility score

I won't port across any more Dependabot PRs, as I don't want you to feel like I'm spamming you with them, but I'd still love you to use it. :octocat:

coveralls commented 5 years ago

Coverage Status

Coverage remained the same at 90.538% when pulling 32c1902f0b9d906057dec21244807c83d4ab9727 on greysteil:dependabot/bundler/rack-2.0.6 into 7a62fad66f0a6ade774ef857c32cdc5a5fe9599a on ivaldi:master.