Skip to content

Bump rack from 3.2.4 to 3.2.6 in /src/oc-id#4170

Open
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/bundler/src/oc-id/rack-3.2.6
Open

Bump rack from 3.2.4 to 3.2.6 in /src/oc-id#4170
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/bundler/src/oc-id/rack-3.2.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 29, 2026

Bumps rack from 3.2.4 to 3.2.6.

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.

[3.2.5] - 2026-02-16

Security

  • CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
  • CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

Fixed

Commits
  • e1f22fd Bump patch version.
  • 31989fd Fix typo in test.
  • d268165 Fix test expectation.
  • 8f425de Add Ruby v4.0 to the test matrix.
  • bf83042 Drop EOL Rubies from external tests.
  • d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
  • bfb6914 Limit the number of quoted escapes during multipart parsing
  • b3e5945 Add Content-Length size check in Rack::Multipart::Parser
  • 7a8f326 Fix root prefix bug in Rack::Static
  • a57bc14 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Apr 29, 2026
@dependabot dependabot Bot requested review from a team as code owners April 29, 2026 05:58
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Apr 29, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 29, 2026
edited
Loading

👷 Deploy Preview for chef-server processing.

Name Link
🔨 Latest commit cb88ecd
🔍 Latest deploy log https://app.netlify.com/projects/chef-server/deploys/6a0414aa12d74000089401f8

marcparadise and others added 4 commits May 11, 2026 16:28
@marcparadise @jashaik
Minor updates to keep dev vm working
f60eebe 
Signed-off-by: Marc A. Paradise <marc.paradise@progress.com>
@marcparadise @jashaik
add new kvpairs table for system state
b2856ca 
Signed-off-by: Marc A. Paradise <marc.paradise@progress.com>
@marcparadise @jashaik
implement default-off local license check
5f9d5ec 
This is controlled by a build-time compilation macro, OC_LICENSE_PATH
By default, this will have a value of 'cli', which will preserve the
existing license check behavior of using the automate cli when present.

If the macro is set to a file path (this can be done by setting the
environment variable OC_LICENSE_PATH to the target location, prior to
build) then at run-time, erchef will expect to find a license file in
this location.

If the specified the license file is missing or invalid, it is treated as
a 90 day trial license from time of upgrade to the version that
implements this change.

When the file is present, the expiration is pulled from the file, based
on the entitlement end time furthest in the future. This was chosen
because the license content does not directly contain expiration date.
@jashaik
Update omnibus submodule to latest main (939f4c9)
f6c0ac8
@talktovikas talktovikas force-pushed the dependabot/bundler/src/oc-id/rack-3.2.6 branch from 2e5ddf4 to d77d08f Compare May 12, 2026 04:02
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dependabot @talktovikas
Bump rack from 3.2.4 to 3.2.6 in /src/oc-id
cb88ecd 
Bumps [rack](https://github.com/rack/rack) from 3.2.4 to 3.2.6.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.2.4...v3.2.6)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 3.2.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@talktovikas talktovikas force-pushed the dependabot/bundler/src/oc-id/rack-3.2.6 branch from d77d08f to cb88ecd Compare May 13, 2026 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcparadise @jashaik