Sidekiq: Sidekiq 5.2.8 locks Rack to 2.0.x (CVE found)

Created on 15 May 2020  Â·  9Comments  Â·  Source: mperham/sidekiq

Ruby: 2.4.6
Sidekiq: 5.2.8
Rack: 2.0.9

Are you using an old version?

No

Have you checked the changelogs to see if your issue has been fixed in a later version?

https://github.com/mperham/sidekiq/blob/master/Changes.md
https://github.com/mperham/sidekiq/blob/master/Pro-Changes.md
https://github.com/mperham/sidekiq/blob/master/Ent-Changes.md

Yes, 5.2.8 is the latest version in the 5.x series.

Problem

A recent CVE has been announced for Rack 2.0.x. Sidekiq will not allow Rack to be upgraded to the recommended versions. Here is the output of bundler audit.

Name: rack
Version: 2.0.9
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0
picture voraciousdev
👍5

Most helpful comment

Is there any plan to release a new version of the 5.2 series of Sidekiq?
Recently Rack released another security patch and need a new version of Sidekiq to upgrade Rack.
Ref: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8184.yml

picture y-yagi on 16 Jun 2020
👍102

All 9 comments

Do you use Rack::Directory? If not, this version doesn’t matter to you. If yes, you can run the 5-x branch.

mperham picture mperham on 15 May 2020

@mperham I appreciate the quick response. Our CI builds require bundler-audit to pass, and I'd prefer to not just add an exception for this. Is there a plan to release this under 5.x, or is using the branch the only option?

voraciousdev picture voraciousdev on 15 May 2020

I'm not in a hurry to release. There's a CVE in a Rack feature that is not enabled by default and the community does not use (at least I've never heard of anyone using it). If someone uses Sidekiq AND Rack::Directory in the same app, please speak up.

mperham picture mperham on 15 May 2020

For any curious, this will use the branch:

gem 'sidekiq', github: 'mperham/sidekiq', branch: '5-x'

mperham picture mperham on 15 May 2020

Is there any plan to release a new version of the 5.2 series of Sidekiq?
Recently Rack released another security patch and need a new version of Sidekiq to upgrade Rack.
Ref: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8184.yml

y-yagi picture y-yagi on 16 Jun 2020
👍102

Sidekiq 5.2.9 has been released.

mperham picture mperham on 16 Jun 2020
7

oh, 5.2.9 just relaxed the rack requirements. Doesn't address the disappearing UI issue when you update rack

adamzolotarev picture adamzolotarev on 16 Jun 2020

I don’t know what a disappearing UI is?

On Jun 16, 2020, at 09:53, Adam Zolotarev notifications@github.com wrote:


oh, 5.2.9 just relaxed the rack requirements. Doesn't address the disappearing UI issue

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or unsubscribe.

mperham picture mperham on 16 Jun 2020

Sorry, looks like it was an issue with New Relic. I just needed to also update New Relic gem based on https://github.com/mperham/sidekiq/issues/4440

adamzolotarev picture adamzolotarev on 16 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sandstrom picture sandstrom  Â·  3Comments
nikhilm492 picture nikhilm492  Â·  4Comments
edgarjs picture edgarjs  Â·  3Comments
bartimaeus picture bartimaeus  Â·  3Comments
andrewhavens picture andrewhavens  Â·  4Comments