mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
dep: update rack 3.2.4 → 3.2.6
Security bump clearing ~11 CVEs (multipart parser differentials/DoS, Host header validation, byte-range DoS, Forwarded injection, Rack::Static/ Directory/Sendfile disclosures). Reachable fixes (multipart uploads, AS byte-range streaming, host parsing) apply transparently via corrective behavior and generous new defaults; the Static/Directory/Sendfile/ Deflater CVEs are not reachable (campfire uses none of those middlewares). No app changes required. Optional hardening noted in plan: new env knob RACK_MULTIPART_PARSER_BYTESIZE_LIMIT (default 10 GiB) could be tuned to campfire's real max attachment size — left at default here. Transitive dep via Rails (no Gemfile change). 23 commits analyzed, 0 required mitigations. Verified green via full unit + system suites. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-rack_v3.2.4..v3.2.6.md 🤖 Assisted by Claude
This commit is contained in:
+1
-1
@@ -262,7 +262,7 @@ GEM
|
||||
puma (6.6.1)
|
||||
nio4r (~> 2.0)
|
||||
racc (1.8.1)
|
||||
rack (3.2.4)
|
||||
rack (3.2.6)
|
||||
rack-protection (4.2.1)
|
||||
base64 (>= 0.1.0)
|
||||
logger (>= 1.6.0)
|
||||
|
||||
Reference in New Issue
Block a user