Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update gem "rack" to '>= 2.2.3.1' #1105

Open
Janell-Huyck opened this issue Nov 3, 2023 · 0 comments
Open

Update gem "rack" to '>= 2.2.3.1' #1105

Janell-Huyck opened this issue Nov 3, 2023 · 0 comments

Comments

@Janell-Huyck
Copy link
Contributor

Janell-Huyck commented Nov 3, 2023

No breaking changes noted up to v2.2.4, but then the changelog jumps to 3.0 (skipping 2.2.6.4) with multiple breaking changes. We have 2.2.3 pinned in the gemfile. It looks like 2.2.6.4 will take care of bundler-audit warnings.

Name: rack
Version: 2.2.3
CVE: CVE-2022-30123
GHSA: GHSA-wq4h-7r42-5hrr
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Title: Possible shell escape sequence injection vulnerability in Rack
Solution: upgrade to '> 2.0.9, >= 2.0.9.1', '> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 2.2.3
CVE: CVE-2022-30122
GHSA: GHSA-hxqx-xwvh-44m2
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Title: Denial of Service Vulnerability in Rack Multipart Parsing
Solution: upgrade to '> 2.0.9, >= 2.0.9.1', '> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 2.2.3
CVE: CVE-2022-44571
GHSA: GHSA-93pm-5p5f-3ghx
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of Service Vulnerability in Rack Content-Disposition parsing
Solution: upgrade to '> 2.0.9, >= 2.0.9.2', '> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: rack
Version: 2.2.3
CVE: CVE-2022-44570
GHSA: GHSA-65f5-mfpf-vfhj
Criticality: High
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via header parsing in Rack
Solution: upgrade to '> 2.0.9, >= 2.0.9.2', '> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'

Name: rack
Version: 2.2.3
CVE: CVE-2023-27539
GHSA: GHSA-c6qg-cjj8-47qp
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Title: Possible Denial of Service Vulnerability in Rack’s header parsing
Solution: upgrade to '~> 2.0, >= 2.2.6.4', '>= 3.0.6.1'

Name: rack
Version: 2.2.3
CVE: CVE-2022-44572
GHSA: GHSA-rqv2-275x-2jq5
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via multipart parsing in Rack
Solution: upgrade to '> 2.0.9, >= 2.0.9.2', '> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: rack
Version: 2.2.3
CVE: CVE-2023-27530
GHSA: GHSA-3h57-hmj3-gj3p
Criticality: High
URL: https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
Title: Possible DoS Vulnerability in Multipart MIME parsing
Solution: upgrade to '> 2.0.9, >= 2.0.9.3', '> 2.1.4, >= 2.1.4.3', '~> 2.2.6, >= 2.2.6.3', '>= 3.0.4.2'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants