Engine Yard Developer Center

Security:February 8, 2013: Rack Vulnerabilities/Medium Risk CVE-2013-0263/CVE-2013-0262

Friday February 8, 2013 7:39am PST/ 3:39pm UTC

Rack Vulnerability

It was brought to our attention that there have been two recent Rack Vulnerabilities via http://rack.github.com/.

CVE-2013-0263:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0263

  • Affected Versions: All Previous Versions
  • Fixed Versions: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2

CVE-2013-0262:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0262

  • Versions affected: All versions after 1.4.0
  • Versions fixed: 1.4.5, 1.5.2

What should I do?

Check your Gemfile and Gemfile.lock for vulnerable versions of rack, and if you are using one, update it immediately.

You can update each of these by using "bundle update rack".

 

If you do need assistance, please file a ticket.  

Was this article helpful?
5 out of 5 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Yves-Eric Martin

    The links are broken (they have an extra ':' at the end).

    Anyway, thanks a lot for the heads up!

  • Avatar
    Seemant Kulleen

    Thanks for the heads up back, Yves-Eric.   Additionally, the URLs are not available over https, only http: I've adjusted them to be correct.  Have a great weekend!

  • Avatar
    Fernando Calatayud

    "bundle update rack" leaves us on 1.2.8, as Rails 3.0.20 requires rack (~> 1.2.5) ; this fixes CVE-2013-0263, but not CVE-2013-0262.... what we can do with CVE-2013-0262 on Rails 3.0?

  • Avatar
    Adam Holt

    Hi Fernando,

    CVE-2013-0262 is not applicable to versions of rack under 1.4.0.

    Thanks,

    Adam

Please sign in to leave a comment.

Powered by Zendesk