[SECURITY] Rack 0.9.1, a modular Ruby webserver interface


#1

Hello,

Today we release Rack 0.9.1. This release is a security release, it
only fixes directory traversal exploits in Rack::File and
Rack::Directory, dating back to Rack 0.3. Updating is highly
recommended if you use these modules.

= Rack, a modular Ruby webserver interface

Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.

The exact details of this are described in the Rack specification,
which all Rack applications should conform to.

== Changes

  • January 9th, 2009: Sixth public release 0.9.1.
    • Fix directory traversal exploits in Rack::File and Rack::Directory.

== Where can I get it?

You can download Rack 0.9.1 at

    http://chneukirchen.org/releases/rack-0.9.1.tar.gz
              http://rubyforge.org/projects/rack

Alternatively, you can checkout from the development repository with:

git clone git://github.com/rack/rack.git
cd rack && git checkout rack-0.9   # for this release

== Installing with RubyGems

A Gem of Rack is available. You can install it with:

gem install rack

I also provide a local mirror of the gems (and development snapshots)
at my site:

gem install rack --source http://chneukirchen.org/releases/gems/

== Contact

Please mail bugs, suggestions and patches to
mailto:removed_email_address@domain.invalid.

Mailing list archives are available at
http://groups.google.com/group/rack-devel.

There is a bug tracker at http://rack.lighthouseapp.com/.

Git repository (patches rebased on master are most welcome):

You are also welcome to join the #rack channel on irc.freenode.net.

== Thanks

The Rack Core Team, consisting of

  • Christian N. (chneukirchen)
  • James T. (raggi)
  • Josh P. (josh)
  • Michael F. (manveru)
  • Ryan T. (rtomayko)
  • Scytrin dai Kinthra (scytrin)

would like to thank:

  • Tom R., for finding and reporting these bugs.

== Copyright

Copyright © 2007, 2008, 2009 Christian N.
http://purl.org/net/chneukirchen

Rack is freely distributable under the terms of an MIT-style license.

== Links

Rack:: http://rack.rubyforge.org/
Rack’s Rubyforge project:: http://rubyforge.org/projects/rack
Official Rack repositories:: http://github.com/rack
rack-devel mailing list:: http://groups.google.com/group/rack-devel

Happy hacking and have a nice day,
Christian N.
on behalf of the Rack Core Team.

237e24207b39c384d78c266d86bbf2a0808dc417 rack-0.9.1.tar.gz
d3383a4b4abfc2de43df69d1fd7f24995a6e5fe4 rack-0.9.1.gem