Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
There were two CVEs filed against the rack gem, this bumps the version from 2.0.5 to 2.0.6. [CVE-2018-16471][1] > moderate severity > Vulnerable versions: >= 2.0.0, < 2.0.6 > Patched version: 2.0.6 > > There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. > Carefully crafted requests can impact the data returned by the scheme > method on Rack::Request. Applications that expect the scheme to be > limited to 'http' or 'https' and do not escape the return value could be > vulnerable to an XSS attack. Note that applications using the normal > escaping mechanisms provided by Rails may not impacted, but applications > that bypass the escaping mechanisms, or do not use them may be > vulnerable. [CVE-2018-16470][2] > moderate severity > Vulnerable versions: >= 2.0.4, < 2.0.6 > Patched version: 2.0.6 > > There is a possible DoS vulnerability in the multipart parser in Rack > before 2.0.6. Specially crafted requests can cause the multipart parser > to enter a pathological state, causing the parser to use CPU resources > disproportionate to the request size. [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-16471 [2]: https://nvd.nist.gov/vuln/detail/CVE-2018-16470
- Loading branch information
