Fixed CVEs:
- CVE-2026-33946: MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
- CVE-2026-34785: github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check
- CVE-2026-34827: rack: Rack: Denial of Service via crafted multipart/form-data requests
- CVE-2026-34829: rack: Rack: Denial of Service via unbounded multipart file upload
Package Updates:
- Updates nginx from 1.29.7 to 1.29.8
What's Changed
- Add disk update action via CPI by @neddp in #2701
- Fix integration tests broken by new update_disk function by @neddp in #2703
- Fix unit test flakes by ordering configs by ID by @aramprice in #2704
- Fix IP Allocation Bug: Reserved Range Not Detected by @neddp in #2657
- Fix ~75% flake rate in upgrade-mysql and upgrade-postgres pipelines by @aramprice in #2705
Full Changelog: v282.1.6...v282.1.7