oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: rack-cache caches sensitive headers (Set-Cookie)

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 06 Jun 2012 10:56:02 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2012 03:29 AM, Jan Lieskovsky wrote:

Thanks for your report, Matthias.

On 06/06/2012 11:09 AM, Matthias Weckbecker wrote:

Hi Kurt, Steve, vendors,

rake-cache caches sensitive response headers such as Set-Cookie.
Attackers
with access to the cache could possibly obtain other user's cookies to
e.g.
bypass authentication.

More information (including patch) available at our bugzilla:
   https://bugzilla.novell.com/show_bug.cgi?id=763650

Kurt, could you possibly assign a CVE for this issue, please? Thank
you in
advance!


Kurt, once assigned please note it in our bug:
https://bugzilla.redhat.com/show_bug.cgi?id=824520

too.

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team



Matthias



Please use CVE-2012-2671 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPz4uhAAoJEBYNRVNeJnmTKzcP+we7VUVdFw3LqAfqRFmGE1zY
0gq+Sd/ReM0GITRiDbtMOXGqy7DT6ivvuvaQ5T7skIWbNkvanSiv+6F+YeTgIQsX
U9rkk4FeEkrmP5f7vVxPuhNSRWec8gjPkuxCzlQaBLlXmW21xP0fdGJ6wwxwGJAr
SBsL/5MbsvO+R4WjChTio8fZ5aky8o+DWK1ShSN61FVciX+nSvCdvsL40OOki0TF
6Enw/Cod5uccYsQgLNSfC0opWuLlHW/wZn2IcpZdL+Mp5cE69qy9dHLs8RS0uu/O
TuWbzzgZZdt/aZPj6DE7mqWoW0n82H8eSK8HQPeA0K2e4U1q7CKgdiW8U/LR76Yp
5xaUKvhyDWoqsYiP6UXIGYE30nRtHOuFFXxBbmE4kM/wAJtywrLmeD8yZIrRd4Kd
2oJ4NLvfZkRz4nbhhWN+JI9AmoMn0NgG4KfXcK788Ve99MpNGp4Ym3V3b7TR78R3
1awyCtjbCiQbGdmFKUKTToBNQ3DYFh9LOFzmksoOwdCfVJ8JhLmaUNkKCohmzH+Z
8QxklQy39u148ZDNLS1CvIPT+R6oQtotHltLot+nGbAXoL6L4+uzQe58/GYnVnpl
aJeC+R8acTRyMfCv8713bSeqZzt2U3M0QGEEePPPLq2sluAWIMC/hD1W8aI2RfiN
T1pdH/XovTCpR35FCGut
=ijcr
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: