[DRE-maint] Bug#946983: ruby-rack: CVE-2019-16782
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 18 21:06:56 GMT 2019
Source: ruby-rack
Version: 2.0.7-2
Severity: important
Tags: security upstream
Control: found -1 2.0.6-3
Control: found -1 1.6.4-4+deb9u1
Control: found -1 1.6.4-1
Hi,
The following vulnerability was published for ruby-rack.
CVE-2019-16782[0]:
| There's a possible information leak / session hijack vulnerability in
| Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12
| and 2.0.8. Attackers may be able to find and hijack sessions by using
| timing attacks targeting the session id. Session ids are usually
| stored and indexed in a database that uses some kind of scheme for
| speeding up lookups of that session id. By carefully measuring the
| amount of time it takes to look up a session, an attacker may be able
| to find a valid session id and hijack the session. The session id
| itself may be generated randomly, but the way the session is indexed
| by the backing store does not use a secure comparison.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
[1] https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
[2] https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list