Skip to content

Bump rack from 2.2.22 to 2.2.23#2997

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/rack-2.2.23
Open

Bump rack from 2.2.22 to 2.2.23#2997
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/rack-2.2.23

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited
Loading

Bumps rack from 2.2.22 to 2.2.23.

Changelog

Sourced from rack's changelog.

[2.2.23] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
Commits
  • f2af0c8 Bump patch version.
  • 345b744 Fix tests for old Rubies.
  • e2d8e30 Add version guard around non-default gems.
  • add1a80 Fix handling of Errno::EPIPE in multipart tests.
  • 54261ec Fix typo in test.
  • a36f48b Add ostruct to Gemfile.
  • 8883f0d Fix test expectation.
  • 2287a3b Add logger to gemfile.
  • e6540e5 Add Ruby v4.0 to the test matrix.
  • c42e357 Add Content-Length size check in Rack::Multipart::Parser
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026
edited
Loading

Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit a49b029.

♻️ This comment has been updated with latest results.

@dependabot dependabot bot force-pushed the dependabot/bundler/rack-2.2.23 branch from 1f04a7d to 87d624b Compare April 9, 2026 19:34
@dependabot
Bump rack from 2.2.22 to 2.2.23
a49b029 
Bumps [rack](https://github.com/rack/rack) from 2.2.22 to 2.2.23.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v2.2.22...v2.2.23)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 2.2.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/bundler/rack-2.2.23 branch from 87d624b to a49b029 Compare April 15, 2026 20:43
@aprilrieger aprilrieger added the patch-ver for release notes label Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file patch-ver for release notes ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aprilrieger