🚨 [security] [ruby] Update bcrypt 3.1.20 → 3.1.22 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ bcrypt (indirect, 3.1.20 → 3.1.22) · Repo · Changelog

Security Advisories 🚨

🚨 bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby

Impact

An integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen.

The JRuby implementation of bcrypt-ruby (BCrypt.java) computes the key-strengthening round count as a signed 32-bit integer. When cost=31 (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes zero iterations. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain.

The resulting hash looks valid ($2a$31$...) and verifies correctly via checkpw, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a $2a$31$ hash.

Patches

This problem has been fixed in version 3.1.22

Workarounds

Set the cost to something less than 31.

Release Notes

3.1.22

What's Changed

• Move compilation after bundle install by @tenderlove in #291
• Add TruffleRuby in CI by @tjschuck in #293
• fix env url by @tenderlove in #294

Full Changelog: v3.1.21...v3.1.22

3.1.21

What's Changed

• Provide a 'Changelog' link on rubygems.org/gems/bcrypt by @mark-young-atg in #274
• Support ruby 3.3 and 3.4.0-preview1 by @m-nakamura145 in #276
• Mark as ractor-safe by @mohamedhafez in #280
• Add == gotcha that can be unintuitive at first by @federicoaldunate in #279
• Constant compare by @tenderlove in #282
• try to modernize CI by @tenderlove in #287
• Try to deal with flaky tests by @tenderlove in #288
• Configure trusted publishing by @tenderlove in #289
• bump version by @tenderlove in #290

New Contributors

• @mark-young-atg made their first contribution in #274
• @m-nakamura145 made their first contribution in #276
• @mohamedhafez made their first contribution in #280
• @federicoaldunate made their first contribution in #279

Full Changelog: v3.1.20...v3.1.21

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

• Merge commit from fork
• bump version update changelog
• Fix integer overflow in JRuby BCrypt rounds calculation
• Merge pull request #294 from bcrypt-ruby/fix-publishing
• fix env url
• Merge pull request #293 from bcrypt-ruby/truffleruby-ci-alt-implementation
• Add TruffleRuby in CI
• Merge pull request #291 from tenderlove/fix-publishing
• Move compilation after bundle install
• Merge pull request #290 from tenderlove/bump
• add bundler tasks
• bump version
• Merge pull request #289 from tenderlove/trusted-publishers
• Configure trusted publishing
• Merge pull request #288 from tenderlove/deal-with-flake
• Try to deal with flaky tests
• Merge pull request #287 from tenderlove/modernize-ci
• Modernize CI
• Declare development dependencies
• Merge pull request #282 from tenderlove/constant-compare
• Lets not allocate anything
• Use a constant-time secure comparison for passwords
• Merge pull request #279 from federicoaldunate/fix-eql-comment
• Merge pull request #280 from mohamedhafez/patch-1
• Mark as ractor-safe
• Add == gotcha that can be unintuitive at first
• Merge pull request #276 from m-nakamura145/support-ruby-3-3-x-and-3-4-0-preview1
• Test old Rubies on older x64 macOS
• Ruby 3.4.0.-preview1 is not available on Windows
• Update README to remove specific Ruby version mentions
• Support ruby 3.3 and 3.4.0-preview1
• Merge pull request #274 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/bcrypt

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)