Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency rack to v2.2.8.1 [SECURITY] #469

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency rack to v2.2.8.1 [SECURITY] #469

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 29, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
rack (changelog) '2.2.8' -> '2.2.8.1' age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-26146

Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

  • 2-0-header-redos.patch - Patch for 2.0 series
  • 2-1-header-redos.patch - Patch for 2.1 series
  • 2-2-header-redos.patch - Patch for 2.2 series
  • 3-0-header-redos.patch - Patch for 3.0 series

Credits

Thanks to svalkanov for reporting this and
providing patches!

CVE-2024-26141

Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the
Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

  • 3-0-range.patch - Patch for 3.0 series
  • 2-2-range.patch - Patch for 2.2 series

Credits

Thank you ooooooo_q for the report and
patch

CVE-2024-25126

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

Release Notes

rack/rack (rack)

v2.2.8.1

Compare Source

What's Changed

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/rubygems-rack-vulnerability branch from ff93203 to a2b368e Compare March 5, 2024 12:36
@renovate renovate bot force-pushed the renovate/rubygems-rack-vulnerability branch from a2b368e to 98225e0 Compare March 24, 2024 15:05
@renovate renovate bot changed the title Update dependency rack to v2.2.8.1 [SECURITY] Update dependency rack to v2.2.8.1 [SECURITY] - autoclosed Jul 10, 2024
@renovate renovate bot closed this Jul 10, 2024
@renovate renovate bot deleted the renovate/rubygems-rack-vulnerability branch July 10, 2024 01:41
@renovate renovate bot restored the renovate/rubygems-rack-vulnerability branch July 14, 2024 10:03
@renovate renovate bot changed the title Update dependency rack to v2.2.8.1 [SECURITY] - autoclosed Update dependency rack to v2.2.8.1 [SECURITY] Jul 14, 2024
@renovate renovate bot reopened this Jul 14, 2024
@renovate renovate bot force-pushed the renovate/rubygems-rack-vulnerability branch 2 times, most recently from 4948372 to ea9cfdf Compare July 15, 2024 05:28
@renovate renovate bot force-pushed the renovate/rubygems-rack-vulnerability branch from ea9cfdf to e27b3d1 Compare August 28, 2024 09:32
@yegor256
Copy link
Contributor

@rultor please, try to merge, since 8 checks have passed

@rultor
Copy link
Contributor

rultor commented Aug 28, 2024

@rultor please, try to merge, since 8 checks have passed

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

@rultor
Copy link
Contributor

rultor commented Aug 28, 2024

@rultor please, try to merge, since 8 checks have passed

@renovate[bot] @yegor256 Oops, I failed. You can see the full log here (spent 30min)

/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer/parallel_installer.rb:132:in
`do_install'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer/parallel_installer.rb:117:in
`install_serially'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer/parallel_installer.rb:93:in
`call'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer/parallel_installer.rb:66:in
`call'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer.rb:244:in
`install_in_parallel'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer.rb:201:in
`install'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer.rb:89:in
`block in run'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/process_lock.rb:12:in
`block in lock'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/process_lock.rb:9:in
`open'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/process_lock.rb:9:in
`lock'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer.rb:71:in
`run'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/installer.rb:23:in
`install'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/cli/install.rb:63:in
`run'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/cli.rb:244:in
`block in install'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/settings.rb:158:in
`temporary'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/cli.rb:243:in
`install'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/vendor/thor/lib/thor/command.rb:28:in
`run'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/vendor/thor/lib/thor/invocation.rb:127:in
`invoke_command'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/vendor/thor/lib/thor.rb:527:in
`dispatch'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/cli.rb:34:in
`dispatch'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/vendor/thor/lib/thor/base.rb:584:in
`start'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/cli.rb:28:in
`start'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/exe/bundle:28:in `block in
<top (required)>'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/lib/bundler/friendly_errors.rb:117:in
`with_friendly_errors'
/usr/local/rvm/gems/ruby-3.2.2/gems/bundler-2.5.6/exe/bundle:20:in `<top
(required)>'
  /usr/local/rvm/gems/ruby-3.2.2/bin/bundle:25:in `load'
  /usr/local/rvm/gems/ruby-3.2.2/bin/bundle:25:in `<main>'

An error occurred while installing openssl (2.2.3), and Bundler cannot continue.

In Gemfile:
  glogin was resolved to 0.16.4, which depends on
    openssl
container ab602d6fffc0c3af53baf2c11c6e075b3321fc5def95d0877e177857424e22d6 is dead
Wed Aug 28 10:18:57 UTC 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yegor256 @rultor