Following CVE-2015-3225, I want to update the rack version of some apps that are hosted via passenger in production. However, I am not sure what the relationship is between passenger and rack. Do I need to update the version of rack passenger is using, or the rack version specified in each apps Gemfile.lock, or should I being updating both?
I think the answer is the latter (both) but if I can fix the vulnerability just by updating the rack version passenger is using, then that is a lot less work.
It was this google forum post that made me think passenger was defining the rack version, but reading it again I don't think that's the case.
The rack version is defined in the application. Each application can have its own rack version and Passenger will load it.
Therefore, what you want to upgrade is the rack version your application is currently using.