[DRE-maint] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Satoru KURASHIKI
lurdan at gmail.com
Sun Feb 10 02:14:50 UTC 2013
hi,
> For further information see:
> [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
> Please adjust the affected versions in the BTS as needed.
> Note: According to the red hat bugtracker for CVE-2013-0262 only
> versions after 1.4.x are affected, for CVE-2013-0263 all previous
> versions. Could you please double check this, and mark
> accordingly?
With a quick look:
the code which raises CVE-2013-0262 (calculate path depth sequentially)
was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
affected.
the code which raises CVE-2013-0263 (needs time string comparison)
also affects stable version:
https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
This bts would have better to be split?
regards,
--
KURASHIKI Satoru
More information about the Pkg-ruby-extras-maintainers
mailing list