CHIMERA-6 - Potential DoS (RAM usage), Rack Multipart parser

samvera-labs / chimera

A generic, unbranded implementation of University of Michigan Research Data Repository DeepBlue

Apache License 2.0

2 stars 0 forks source link

CHIMERA-6 - Potential DoS (RAM usage), Rack Multipart parser #7

Closed fritzfreiheit closed 5 years ago

fritzfreiheit commented 5 years ago

Known moderate severity security vulnerability detected in rack >= 2.0.0, < 2.0.6 defined in Gemfile.lock. Gemfile.lock update suggested: rack ~> 2.0.6.

This update includes an override of rack's tiny multipart upload buffer size ( RACK_MULTIPART_BUFFER_SIZE ), to that used in the "pinned" commit.

CVE-2018-16470: https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ

jhallida commented 5 years ago

Not necessary. These changes were pulled in through the larger changes from Deep Blue Data production v1