Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade rack gem CVE-2025-27111 #23367

Merged
merged 1 commit into from
Mar 5, 2025
Merged

Upgrade rack gem CVE-2025-27111 #23367

merged 1 commit into from
Mar 5, 2025

Conversation

kbrock
Copy link
Member

@kbrock kbrock commented Mar 5, 2025
edited
Loading

We're currently in the 2.2.x world
Radjabov Gemfile.lock.release points to 2.2.10 (vulnerable)

GHSA-8cgq-6mh2-7j6v

@kbrock kbrock added security fix Security fix generated by WhiteSource Mend: configuration error WhiteSource configuration error labels Mar 5, 2025
@kbrock kbrock requested a review from Fryguy as a code owner March 5, 2025 18:55
@kbrock
Copy link
Member Author

kbrock commented Mar 5, 2025

We may want to consider upgrading to Rack 3.0 or 3.1.

https://github.com/rack/rack/blob/main/UPGRADE-GUIDE.md doesn't look too difficult.
This is probably a separate effort

@Fryguy
Copy link
Member

Fryguy commented Mar 5, 2025
edited
Loading

What version of rack comes with Rails 7.1? Do we even need to specify rack if it's coming in via Rails?

EDIT: I checked myself and it's rack 3.1.11

Fryguy
Fryguy reviewed Mar 5, 2025
View reviewed changes
Gemfile Outdated
@@ -67,7 +67,7 @@ gem "pg-dsn_parser", "~>0.1.1", :require => false
gem "prism", ">=0.25.0", :require => false # Used by DescendantLoader
gem "psych", ">=3.1", :require => false # 3.1 safe_load changed positional to kwargs like aliases: true: https://github.com/ruby/psych/commit/4d4439d6d0adfcbd211ea295779315f1baa7dadd
gem "query_relation", "~>0.1.0", :require => false
gem "rack", ">=2.2.6.4", :require => false
gem "rack", ">=2.2.11", :require => false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is in 2.2.12, so this needs to be at least that.

@Fryguy
Copy link
Member

Fryguy commented Mar 5, 2025

ok for now to get everything green, especially the security suite, let's just get to 2.2.12.

@kbrock
Upgrade rack gem CVE-2025-27111
3664392 
We're currently in the 2.2.x world
Radjabov Gemfile.lock.release points to 2.2.10

GHSA-8cgq-6mh2-7j6v
@miq-bot
Copy link
Member

miq-bot commented Mar 5, 2025

Checked commit kbrock@3664392 with ruby 3.1.5, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
1 file checked, 0 offenses detected
Everything looks fine. 🍪

@kbrock
Copy link
Member Author

kbrock commented Mar 5, 2025
edited
Loading

So I had assumed that rails would have required rack 3.1.11. (I put in 3.1.11 first - rolled back to 2.2.11 - and flubbed it)

Rails 7.1.5.1 requires actionpack, which requires rack >= 2.2.4 [ref]

@Fryguy Fryguy merged commit c350767 into ManageIQ:master Mar 5, 2025
8 checks passed
Fryguy added a commit that referenced this pull request Mar 5, 2025
@Fryguy
Merge pull request #23367 from kbrock/cve_rack
f6ef9b5 
Upgrade rack gem CVE-2025-27111

(cherry picked from commit c350767)
Fryguy added a commit that referenced this pull request Mar 5, 2025
@Fryguy
Update lockfile after backport of #23367
0aaa3e0
@Fryguy
Copy link
Member

Fryguy commented Mar 5, 2025

Manually backported to spassky in f6ef9b5 and 0aaa3e0

commit 0aaa3e02dcf99ea90223f9eebc48837596588e4d (HEAD -> spassky, upstream/spassky)
Author: Jason Frey <fryguy9@gmail.com>
Date:   Wed Mar 5 17:43:03 2025 -0500

    Update lockfile after backport of #23367

commit f6ef9b58ab2713d69e2a6704c9d6fd3359a66126
Author: Jason Frey <fryguy9@gmail.com>
Date:   Wed Mar 5 17:41:12 2025 -0500

    Merge pull request #23367 from kbrock/cve_rack

    Upgrade rack gem CVE-2025-27111

    (cherry picked from commit c350767c62ca22a9bde02cd0f247e60015841d45)

@kbrock kbrock deleted the cve_rack branch March 5, 2025 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fryguy Fryguy Fryguy approved these changes

Assignees

@Fryguy Fryguy

Labels
dependencies Mend: configuration error WhiteSource configuration error security fix Security fix generated by WhiteSource spassky/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kbrock @Fryguy @miq-bot