From 8426ac0780839592a56d8cbfd089ca776983733a Mon Sep 17 00:00:00 2001 From: Christopher Sexton Date: Fri, 16 Nov 2018 20:27:12 -0500 Subject: [PATCH] Update rack gem There were two CVEs filed against the rack gem, this bumps the version from 2.0.5 to 2.0.6. [CVE-2018-16471][1] > moderate severity > Vulnerable versions: >= 2.0.0, < 2.0.6 > Patched version: 2.0.6 > > There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. > Carefully crafted requests can impact the data returned by the scheme > method on Rack::Request. Applications that expect the scheme to be > limited to 'http' or 'https' and do not escape the return value could be > vulnerable to an XSS attack. Note that applications using the normal > escaping mechanisms provided by Rails may not impacted, but applications > that bypass the escaping mechanisms, or do not use them may be > vulnerable. [CVE-2018-16470][2] > moderate severity > Vulnerable versions: >= 2.0.4, < 2.0.6 > Patched version: 2.0.6 > > There is a possible DoS vulnerability in the multipart parser in Rack > before 2.0.6. Specially crafted requests can cause the multipart parser > to enter a pathological state, causing the parser to use CPU resources > disproportionate to the request size. [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-16471 [2]: https://nvd.nist.gov/vuln/detail/CVE-2018-16470 --- rails/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rails/Gemfile.lock b/rails/Gemfile.lock index 102cf0733..6bf177666 100644 --- a/rails/Gemfile.lock +++ b/rails/Gemfile.lock @@ -169,7 +169,7 @@ GEM puma (3.12.0) pundit (2.0.0) activesupport (>= 3.0.0) - rack (2.0.5) + rack (2.0.6) rack-proxy (0.6.5) rack rack-test (1.1.0)