Debian Bug report logs -
#946983
ruby-rack: CVE-2019-16782
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 Dec 2019 21:09:02 UTC
Severity: important
Tags: security, upstream
Found in versions ruby-rack/1.6.4-1, ruby-rack/2.0.7-2, ruby-rack/2.0.6-3, ruby-rack/1.6.4-4+deb9u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#946983; Package src:ruby-rack.
(Wed, 18 Dec 2019 21:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 18 Dec 2019 21:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack
Version: 2.0.7-2
Severity: important
Tags: security upstream
Control: found -1 2.0.6-3
Control: found -1 1.6.4-4+deb9u1
Control: found -1 1.6.4-1
Hi,
The following vulnerability was published for ruby-rack.
CVE-2019-16782[0]:
| There's a possible information leak / session hijack vulnerability in
| Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12
| and 2.0.8. Attackers may be able to find and hijack sessions by using
| timing attacks targeting the session id. Session ids are usually
| stored and indexed in a database that uses some kind of scheme for
| speeding up lookups of that session id. By carefully measuring the
| amount of time it takes to look up a session, an attacker may be able
| to find a valid session id and hijack the session. The session id
| itself may be generated randomly, but the way the session is indexed
| by the backing store does not use a secure comparison.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
[1] https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
[2] https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions ruby-rack/2.0.6-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 18 Dec 2019 21:09:05 GMT) (full text, mbox, link).
Marked as found in versions ruby-rack/1.6.4-4+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 18 Dec 2019 21:09:05 GMT) (full text, mbox, link).
Marked as found in versions ruby-rack/1.6.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 18 Dec 2019 21:09:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 19 09:09:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon