There is a possible DoS vulnerability in the multipart parser in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16470. Versions Affected: 2.0.4, 2.0.5 Not affected: <= 2.0.3 Fixed Versions: 2.0.6 Impact ------ There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Impacted code can look something like this: ``` Rack::Request.new(env).params ``` But any code that uses the multi-part parser may be vulnerable. Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well. All users running an affected release should either upgrade or use one of the workarounds immediately. There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471. Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11 Impact ------ There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack. Vulnerable code looks something like this: ``` <%= request.scheme.html_safe %> ``` Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 2.0.6 and 1.6.11 releases are available at the normal locations.
rack 1.6.11 and rack 2.0.6 are now available. I'd like to postpone stabling for a few days since we missed a lot of the intermediate 1.6.x releases.
Please test and mark stable.
amd64 stable
sparc stable
x86 stable
arm stable
ia64 stable
hppa stable
ppc stable
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9b3fad02e5c0ef8bcfaf0ee094af520263ea5e2 commit a9b3fad02e5c0ef8bcfaf0ee094af520263ea5e2 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-28 16:04:29 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-28 16:04:40 +0000 dev-ruby/rack-1.6.11-r0: alpha stable Bug: http://bugs.gentoo.org/670476 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-ruby/rack/rack-1.6.11.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
Cleanup done.
(In reply to Hans de Graaff from comment #13) > Cleanup done. Thanks, Hans! GLSA Vote: No