Skip to content

Bump rack from 3.2.5 to 3.2.6#37

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/rack-2.2.8.1
Open

Bump rack from 3.2.5 to 3.2.6#37
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/rack-2.2.8.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 29, 2024

Copy link
Copy Markdown
Contributor

Bumps rack from 3.2.5 to 3.2.6.

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
Commits
  • e1f22fd Bump patch version.
  • 31989fd Fix typo in test.
  • d268165 Fix test expectation.
  • 8f425de Add Ruby v4.0 to the test matrix.
  • bf83042 Drop EOL Rubies from external tests.
  • d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
  • bfb6914 Limit the number of quoted escapes during multipart parsing
  • b3e5945 Add Content-Length size check in Rack::Multipart::Parser
  • 7a8f326 Fix root prefix bug in Rack::Static
  • a57bc14 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Feb 29, 2024
@kaysiz

kaysiz commented Jun 4, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [rack](https://github.com/rack/rack) from 3.2.5 to 3.2.6.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.2.5...v3.2.6)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 2.2.8.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump rack from 2.2.6.4 to 2.2.8.1 Bump rack from 3.2.5 to 3.2.6 Jun 4, 2026
@dependabot dependabot Bot force-pushed the dependabot/bundler/rack-2.2.8.1 branch from ad41c58 to ff2b773 Compare June 4, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant