Skip to content

Bump rack from 3.2.5 to 3.2.6#4309

Merged
sensei100 merged 1 commit intomainfrom
dependabot/bundler/rack-3.2.6
Apr 2, 2026
Merged

Bump rack from 3.2.5 to 3.2.6#4309
sensei100 merged 1 commit intomainfrom
dependabot/bundler/rack-3.2.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026

Bumps rack from 3.2.5 to 3.2.6.

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
Commits
  • e1f22fd Bump patch version.
  • 31989fd Fix typo in test.
  • d268165 Fix test expectation.
  • 8f425de Add Ruby v4.0 to the test matrix.
  • bf83042 Drop EOL Rubies from external tests.
  • d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
  • bfb6914 Limit the number of quoted escapes during multipart parsing
  • b3e5945 Add Content-Length size check in Rack::Multipart::Parser
  • 7a8f326 Fix root prefix bug in Rack::Static
  • a57bc14 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump rack from 3.2.5 to 3.2.6
932f124 
Bumps [rack](https://github.com/rack/rack) from 3.2.5 to 3.2.6.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.2.5...v3.2.6)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 3.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 2, 2026
@sensei100 sensei100 merged commit 548a5d6 into main Apr 2, 2026
4 checks passed
@sensei100 sensei100 deleted the dependabot/bundler/rack-3.2.6 branch April 2, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sensei100 sensei100 sensei100 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sensei100