CHEF-28294: Fix CVE-2025-61780 - Update rack gem to >= 3.1.18 (#4129)

kalroy · jashaik · web-flow · commit 0083ff352fda · 2025-12-09T14:56:52.000+05:30
* CHEF-28294: Fix CVE-2025-61780 - Update rack gem constraint to >= 3.1.18 Update rack gem version constraint in oc-id Gemfile from '> 3.0' to '>= 3.1.18' to address CVE-2025-61780 (CVSS 5.3), an information disclosure vulnerability in Rack::Sendfile when running behind a proxy like Nginx. The vulnerability affects rack versions prior to 2.2.20, 3.1.18, and 3.2.3. Gemfile.lock already contains rack 3.2.3 which is compliant. * Update Gemfile.lock for rack >= 3.1.18 constraint - Updated rack from 3.2.3 to 3.2.4 - Regenerated using bundle lock --update=rack with Ruby 3.1.7 * CHEF-28294: Update rack gem constraint to >= 3.2.4 and update all Gemfile.lock files - Update rack constraint from >= 3.1.18 to >= 3.2.4 in src/oc-id/Gemfile - Update rack version from 3.2.3 to 3.2.4 in all Gemfile.lock files: - src/oc-id/Gemfile.lock (already at 3.2.4, updated constraint in DEPENDENCIES) - src/chef-server-ctl/Gemfile.lock - omnibus/Gemfile.lock - Ensures consistent rack version 3.2.4 across all dependencies - Addresses CVE-2025-61780 security vulnerability Signed-off-by: Jan Shahid Shaik <jashaik@progress.com> --------- Signed-off-by: Jan Shahid Shaik <jashaik@progress.com> Co-authored-by: Jan Shahid Shaik <jashaik@progress.com> Co-authored-by: jashaik <76031665+jashaik@users.noreply.github.com>
diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock
@@ -379,7 +379,7 @@ GEM
       stringio
     public_suffix (6.0.2)
     racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.4)
     rackup (2.2.1)
       rack (>= 3)
     rainbow (3.1.1)
diff --git a/src/chef-server-ctl/Gemfile.lock b/src/chef-server-ctl/Gemfile.lock
@@ -389,7 +389,7 @@ GEM
       method_source (~> 1.0)
     public_suffix (6.0.2)
     racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.4)
     rackup (2.2.1)
       rack (>= 3)
     rainbow (3.1.1)
diff --git a/src/oc-id/Gemfile b/src/oc-id/Gemfile
@@ -29,7 +29,7 @@ gem 'veil', '~> 0.3.11',
     git: "https://github.com/talktovikas/chef_secrets.git",
     branch: "vikas/debug"
 
-gem 'rack', '> 3.0'
+gem 'rack', '>= 3.2.4'
 
 gem 'omniauth-chef', '~> 0.4.1',
     git: "https://github.com/talktovikas/omniauth-chef.git",
diff --git a/src/oc-id/Gemfile.lock b/src/oc-id/Gemfile.lock
@@ -520,7 +520,7 @@ GEM
       stringio
     public_suffix (6.0.2)
     racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.4)
     rack-protection (4.2.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
@@ -778,7 +778,7 @@ DEPENDENCIES
   omniauth-chef (~> 0.4.1)!
   pg (>= 0.18, < 1.6)
   pry-byebug
-  rack (> 3.0)
+  rack (>= 3.2.4)
   rails (= 7.1.5.2)
   rails-controller-testing
   rb-readline (~> 0.5.2)
