Update Rack gem to 2.2.3

Description

Hakiri says there is a vulnerability in Rack:

[CVE-2020-8161] Directory traversal in Rack::Directory

Directory traversal in Rack::Directory

There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
This vulnerability has been assigned the CVE identifier CVE-2020-8161.

Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0

Testing-wise, if the site loads, we’re probably okay.

Activity

Show:
redsummernight
May 14, 2020, 12:08 PM

We don’t use Rack::Directory. I've marked the Hakiri finding as a false positive. We can fix this whenever, at which point we can unmark the finding as a false positive.

james_
June 20, 2020, 10:28 PM
Edited

CVE-2020-8184 I think we should bump the version

Versions Affected: rack < 2.2.3, rack < 2.1.4 Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Sarken
June 26, 2020, 7:45 AM

Site loads for me!

DeployedToBeta

Assignee

james_

Reporter

Sarken

Roadmap

Misc

Priority

Low

Affects versions

Fix versions

Components

BackEnd
Gems

Difficulty

Easy

Milestone

Internal 0.9