Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sidekiq 5.2.8 locks Rack to 2.0.x (CVE found) #4566

Closed
davidmyersdev opened this issue May 15, 2020 · 9 comments
Closed

Sidekiq 5.2.8 locks Rack to 2.0.x (CVE found) #4566

davidmyersdev opened this issue May 15, 2020 · 9 comments

Comments

@davidmyersdev
Copy link

Ruby: 2.4.6
Sidekiq: 5.2.8
Rack: 2.0.9

Are you using an old version?

No

Have you checked the changelogs to see if your issue has been fixed in a later version?

https://github.com/mperham/sidekiq/blob/master/Changes.md
https://github.com/mperham/sidekiq/blob/master/Pro-Changes.md
https://github.com/mperham/sidekiq/blob/master/Ent-Changes.md

Yes, 5.2.8 is the latest version in the 5.x series.

Problem

A recent CVE has been announced for Rack 2.0.x. Sidekiq will not allow Rack to be upgraded to the recommended versions. Here is the output of bundler audit.

Name: rack
Version: 2.0.9
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0
@davidmyersdev davidmyersdev changed the title Sidekiq 5.2.8 locks Rack to 2.0.x - CVE in Rack 2.0.9 Sidekiq 5.2.8 locks Rack to 2.0.x (CVE found) May 15, 2020
@mperham
Copy link
Collaborator

mperham commented May 15, 2020

Do you use Rack::Directory? If not, this version doesn’t matter to you. If yes, you can run the 5-x branch.

@davidmyersdev
Copy link
Author

@mperham I appreciate the quick response. Our CI builds require bundler-audit to pass, and I'd prefer to not just add an exception for this. Is there a plan to release this under 5.x, or is using the branch the only option?

@mperham
Copy link
Collaborator

mperham commented May 15, 2020

I'm not in a hurry to release. There's a CVE in a Rack feature that is not enabled by default and the community does not use (at least I've never heard of anyone using it). If someone uses Sidekiq AND Rack::Directory in the same app, please speak up.

@mperham
Copy link
Collaborator

mperham commented May 15, 2020

For any curious, this will use the branch:

gem 'sidekiq', github: 'mperham/sidekiq', branch: '5-x'

@y-yagi
Copy link
Contributor

y-yagi commented Jun 16, 2020

Is there any plan to release a new version of the 5.2 series of Sidekiq?
Recently Rack released another security patch and need a new version of Sidekiq to upgrade Rack.
Ref: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8184.yml

@mperham
Copy link
Collaborator

mperham commented Jun 16, 2020

Sidekiq 5.2.9 has been released.

@mperham mperham closed this as completed Jun 16, 2020
@adamzolotarev
Copy link

adamzolotarev commented Jun 16, 2020
edited

oh, 5.2.9 just relaxed the rack requirements. Doesn't address the disappearing UI issue when you update rack

@mperham
Copy link
Collaborator

mperham commented Jun 16, 2020 via email

@adamzolotarev
Copy link

adamzolotarev commented Jun 16, 2020
edited

Sorry, looks like it was an issue with New Relic. I just needed to also update New Relic gem based on #4440

@FedorenkoCodes FedorenkoCodes mentioned this issue Jul 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mperham @davidmyersdev @y-yagi @adamzolotarev