🚨 [security] Update rack: 2.0.6 → 2.0.8 (patch)

[depfu]

---

🚨 Your version of rack has known security vulnerabilities 🚨

Advisory: CVE-2019-16782
Disclosed: December 18, 2019
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.

The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ rack (indirect, 2.0.6 → 2.0.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 18 commits:

• Bumping version
• Introduce a new base class to avoid breaking when upgrading
• Add a version prefix to the private id to make easier to migrate old values
• Fallback to the public id when reading the session in the pool adapter
• Also drop the session with the public id when destroying sessions
• Fallback to the legacy id when the new id is not found
• Add the private id
• revert conditionals to master
• remove NullSession
• remove || raise and get closer to master
• store hashed id, send public id
• use session id objects
• remove more nils
• try to ensure we always have some kind of object
• Bumping to 2.0.7 for release
• Merge pull request #1343 from larsxschneider/ls/forward-fix
• Preserve forwarded IP address for trusted proxy chains
• Merge pull request #1201 from janko-m/make-multipart-parsing-work-for-chunked-requests

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #243.