Open Janell-Huyck opened 8 months ago
No breaking changes noted up to v2.2.4, but then the changelog jumps to 3.0 (skipping 2.2.6.4) with multiple breaking changes. We have 2.2.3 pinned in the gemfile. It looks like 2.2.6.4 will take care of bundler-audit warnings.
Name: rack Version: 2.2.3 CVE: CVE-2022-30123 GHSA: GHSA-wq4h-7r42-5hrr Criticality: Critical URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8 Title: Possible shell escape sequence injection vulnerability in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-30122 GHSA: GHSA-hxqx-xwvh-44m2 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Title: Denial of Service Vulnerability in Rack Multipart Parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44571 GHSA: GHSA-93pm-5p5f-3ghx Criticality: Unknown URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of Service Vulnerability in Rack Content-Disposition parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44570 GHSA: GHSA-65f5-mfpf-vfhj Criticality: High URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of service via header parsing in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2023-27539 GHSA: GHSA-c6qg-cjj8-47qp Criticality: Unknown URL: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466 Title: Possible Denial of Service Vulnerability in Rack’s header parsing Solution: upgrade to '~> 2.0, >= 2.2.6.4', '>= 3.0.6.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44572 GHSA: GHSA-rqv2-275x-2jq5 Criticality: Unknown URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of service via multipart parsing in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2023-27530 GHSA: GHSA-3h57-hmj3-gj3p Criticality: High URL: https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388 Title: Possible DoS Vulnerability in Multipart MIME parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.3', '~> 2.1.4, >= 2.1.4.3', '~> 2.2.6, >= 2.2.6.3', '>= 3.0.4.2'
No breaking changes noted up to v2.2.4, but then the changelog jumps to 3.0 (skipping 2.2.6.4) with multiple breaking changes. We have 2.2.3 pinned in the gemfile. It looks like 2.2.6.4 will take care of bundler-audit warnings.
Name: rack Version: 2.2.3 CVE: CVE-2022-30123 GHSA: GHSA-wq4h-7r42-5hrr Criticality: Critical URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8 Title: Possible shell escape sequence injection vulnerability in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-30122 GHSA: GHSA-hxqx-xwvh-44m2 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Title: Denial of Service Vulnerability in Rack Multipart Parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44571 GHSA: GHSA-93pm-5p5f-3ghx Criticality: Unknown URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of Service Vulnerability in Rack Content-Disposition parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44570 GHSA: GHSA-65f5-mfpf-vfhj Criticality: High URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of service via header parsing in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2023-27539 GHSA: GHSA-c6qg-cjj8-47qp Criticality: Unknown URL: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466 Title: Possible Denial of Service Vulnerability in Rack’s header parsing Solution: upgrade to '~> 2.0, >= 2.2.6.4', '>= 3.0.6.1'
Name: rack Version: 2.2.3 CVE: CVE-2022-44572 GHSA: GHSA-rqv2-275x-2jq5 Criticality: Unknown URL: https://github.com/rack/rack/releases/tag/v3.0.4.1 Title: Denial of service via multipart parsing in Rack Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: rack Version: 2.2.3 CVE: CVE-2023-27530 GHSA: GHSA-3h57-hmj3-gj3p Criticality: High URL: https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388 Title: Possible DoS Vulnerability in Multipart MIME parsing Solution: upgrade to '~> 2.0.9, >= 2.0.9.3', '~> 2.1.4, >= 2.1.4.3', '~> 2.2.6, >= 2.2.6.3', '>= 3.0.4.2'