[DRE-maint] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 10 07:49:05 UTC 2013
Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Hi
On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
> hi,
>
> > For further information see:
>
> > [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
>
> > Please adjust the affected versions in the BTS as needed.
>
> > Note: According to the red hat bugtracker for CVE-2013-0262 only
> > versions after 1.4.x are affected, for CVE-2013-0263 all previous
> > versions. Could you please double check this, and mark
> > accordingly?
>
> With a quick look:
>
> the code which raises CVE-2013-0262 (calculate path depth sequentially)
> was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
> affected.
>
> the code which raises CVE-2013-0263 (needs time string comparison)
> also affects stable version:
> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
>
> This bts would have better to be split?
thanks for the analysis! I'm cloning the bug and retitling both
accordingly so that both CVE's can be tracked in separate bugs.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list