CHEF-28294: Fix CVE-2025-61780 - Update rack gem constraint to >= 3.1.18

kalroy · jashaik · commit f6c9613f816e · 2025-12-09T14:51:33.000+05:30
Update rack gem version constraint in oc-id Gemfile from '> 3.0' to '>= 3.1.18' to address CVE-2025-61780 (CVSS 5.3), an information disclosure vulnerability in Rack::Sendfile when running behind a proxy like Nginx. The vulnerability affects rack versions prior to 2.2.20, 3.1.18, and 3.2.3. Gemfile.lock already contains rack 3.2.3 which is compliant.
diff --git a/src/oc-id/Gemfile b/src/oc-id/Gemfile
@@ -29,7 +29,7 @@ gem 'veil', '~> 0.3.11',
     git: "https://github.com/talktovikas/chef_secrets.git",
     branch: "vikas/debug"
 
-gem 'rack', '> 3.0'
+gem 'rack', '>= 3.1.18'
 
 gem 'omniauth-chef', '~> 0.4.1',
     git: "https://github.com/talktovikas/omniauth-chef.git",
