From 248383519ed2459638d53721a0707312d9585e5d Mon Sep 17 00:00:00 2001 From: Kallol Roy Date: Thu, 4 Dec 2025 20:39:04 +0530 Subject: [PATCH 1/3] CHEF-28294: Fix CVE-2025-61780 - Update rack gem constraint to >= 3.1.18 Update rack gem version constraint in oc-id Gemfile from '> 3.0' to '>= 3.1.18' to address CVE-2025-61780 (CVSS 5.3), an information disclosure vulnerability in Rack::Sendfile when running behind a proxy like Nginx. The vulnerability affects rack versions prior to 2.2.20, 3.1.18, and 3.2.3. Gemfile.lock already contains rack 3.2.3 which is compliant. --- src/oc-id/Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oc-id/Gemfile b/src/oc-id/Gemfile index 835ddda485..e5398115fa 100644 --- a/src/oc-id/Gemfile +++ b/src/oc-id/Gemfile @@ -29,7 +29,7 @@ gem 'veil', '~> 0.3.11', git: "https://github.com/talktovikas/chef_secrets.git", branch: "vikas/debug" -gem 'rack', '> 3.0' +gem 'rack', '>= 3.1.18' gem 'omniauth-chef', '~> 0.4.1', git: "https://github.com/talktovikas/omniauth-chef.git", From 0aab83ebce6fbe419a593171515290f6ce7a87ef Mon Sep 17 00:00:00 2001 From: Kallol Roy Date: Thu, 4 Dec 2025 21:01:56 +0530 Subject: [PATCH 2/3] Update Gemfile.lock for rack >= 3.1.18 constraint - Updated rack from 3.2.3 to 3.2.4 - Regenerated using bundle lock --update=rack with Ruby 3.1.7 --- src/oc-id/Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oc-id/Gemfile.lock b/src/oc-id/Gemfile.lock index 5b5020bf12..05d6e7ba43 100644 --- a/src/oc-id/Gemfile.lock +++ b/src/oc-id/Gemfile.lock @@ -520,7 +520,7 @@ GEM stringio public_suffix (6.0.2) racc (1.8.1) - rack (3.2.3) + rack (3.2.4) rack-protection (4.2.1) base64 (>= 0.1.0) logger (>= 1.6.0) @@ -778,7 +778,7 @@ DEPENDENCIES omniauth-chef (~> 0.4.1)! pg (>= 0.18, < 1.6) pry-byebug - rack (> 3.0) + rack (>= 3.1.18) rails (= 7.1.5.2) rails-controller-testing rb-readline (~> 0.5.2) From 7374e059533f944896a636aceb4c971c0b39924d Mon Sep 17 00:00:00 2001 From: Jan Shahid Shaik Date: Tue, 9 Dec 2025 11:27:14 +0530 Subject: [PATCH 3/3] CHEF-28294: Update rack gem constraint to >= 3.2.4 and update all Gemfile.lock files - Update rack constraint from >= 3.1.18 to >= 3.2.4 in src/oc-id/Gemfile - Update rack version from 3.2.3 to 3.2.4 in all Gemfile.lock files: - src/oc-id/Gemfile.lock (already at 3.2.4, updated constraint in DEPENDENCIES) - src/chef-server-ctl/Gemfile.lock - omnibus/Gemfile.lock - Ensures consistent rack version 3.2.4 across all dependencies - Addresses CVE-2025-61780 security vulnerability Signed-off-by: Jan Shahid Shaik --- omnibus/Gemfile.lock | 2 +- src/chef-server-ctl/Gemfile.lock | 2 +- src/oc-id/Gemfile | 2 +- src/oc-id/Gemfile.lock | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 9ac1db9a57..ef4245c75f 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -379,7 +379,7 @@ GEM stringio public_suffix (6.0.2) racc (1.8.1) - rack (3.2.3) + rack (3.2.4) rackup (2.2.1) rack (>= 3) rainbow (3.1.1) diff --git a/src/chef-server-ctl/Gemfile.lock b/src/chef-server-ctl/Gemfile.lock index 2eac34011e..cdb1daae53 100644 --- a/src/chef-server-ctl/Gemfile.lock +++ b/src/chef-server-ctl/Gemfile.lock @@ -389,7 +389,7 @@ GEM method_source (~> 1.0) public_suffix (6.0.2) racc (1.8.1) - rack (3.2.3) + rack (3.2.4) rackup (2.2.1) rack (>= 3) rainbow (3.1.1) diff --git a/src/oc-id/Gemfile b/src/oc-id/Gemfile index e5398115fa..a918241f21 100644 --- a/src/oc-id/Gemfile +++ b/src/oc-id/Gemfile @@ -29,7 +29,7 @@ gem 'veil', '~> 0.3.11', git: "https://github.com/talktovikas/chef_secrets.git", branch: "vikas/debug" -gem 'rack', '>= 3.1.18' +gem 'rack', '>= 3.2.4' gem 'omniauth-chef', '~> 0.4.1', git: "https://github.com/talktovikas/omniauth-chef.git", diff --git a/src/oc-id/Gemfile.lock b/src/oc-id/Gemfile.lock index 05d6e7ba43..9724cd6bd7 100644 --- a/src/oc-id/Gemfile.lock +++ b/src/oc-id/Gemfile.lock @@ -778,7 +778,7 @@ DEPENDENCIES omniauth-chef (~> 0.4.1)! pg (>= 0.18, < 1.6) pry-byebug - rack (>= 3.1.18) + rack (>= 3.2.4) rails (= 7.1.5.2) rails-controller-testing rb-readline (~> 0.5.2)