oss-sec mailing list archives
CVE-2013-0263: Rack all versions, Timing attack in cookie sessions
From: James Tucker <raggi () google com>
Date: Thu, 7 Feb 2013 19:34:47 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE: CVE-2013-0263 Software: Rack (rack.github.com) Type of vulnerability: Timing attack, leading to potential RCE Vulnerable code: https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149 Patch: https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 Versions affected: All prior versions. Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2 Reporter: Ben Murphy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) iQEcBAEBAgAGBQJRFHIMAAoJELphsezQxofDmlwH/1vqc5a8UoyyqQJW9FcWisKt +M/2xboWI5tXJ/XYEzp1hLenTEmUVRK0YpezgROCJPCTCi0RkRW00cHW8Jo7vDs1 8xxId6vlCDAgtWvJX3oRlCIQ7ot/CrcDFvTtLDjtdgkzydv534GUMAPiZphF2Mrz TuU0LVCKx8P2GYnT0wid6bmgLhtHS9XYWTN+K/QRmwqJlhMMeK061CzhTwPESWyE 9xgwH0v7W3HpAo5NAA227/Z5i0s89tNCYHbTrt6B75K0MRaKbsTszLk0E0H3qBg9 rvJoaXOv2Z9IqvvZMpOR/Gg89vIE1LXtTZixR3BgJQazLKFPH1wByy7jMlzC3F0= =wEzk -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-0263: Rack all versions, Timing attack in cookie sessions James Tucker (Feb 07)