From efaae642b026655593edec4388270be23faa74ee Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 12:01:20 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20rack=203.2.4=20=E2=86=92=203.2.?= =?UTF-8?q?6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump clearing ~11 CVEs (multipart parser differentials/DoS, Host header validation, byte-range DoS, Forwarded injection, Rack::Static/ Directory/Sendfile disclosures). Reachable fixes (multipart uploads, AS byte-range streaming, host parsing) apply transparently via corrective behavior and generous new defaults; the Static/Directory/Sendfile/ Deflater CVEs are not reachable (campfire uses none of those middlewares). No app changes required. Optional hardening noted in plan: new env knob RACK_MULTIPART_PARSER_BYTESIZE_LIMIT (default 10 GiB) could be tuned to campfire's real max attachment size — left at default here. Transitive dep via Rails (no Gemfile change). 23 commits analyzed, 0 required mitigations. Verified green via full unit + system suites. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-rack_v3.2.4..v3.2.6.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4209df1..a45765c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -262,7 +262,7 @@ GEM puma (6.6.1) nio4r (~> 2.0) racc (1.8.1) - rack (3.2.4) + rack (3.2.6) rack-protection (4.2.1) base64 (>= 0.1.0) logger (>= 1.6.0)