Source: ruby-rack Version: 2.0.7-2 Severity: important Tags: security upstream Control: found -1 2.0.6-3 Control: found -1 1.6.4-4+deb9u1 Control: found -1 1.6.4-1
Hi, The following vulnerability was published for ruby-rack. CVE-2019-16782[0]: | There's a possible information leak / session hijack vulnerability in | Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 | and 2.0.8. Attackers may be able to find and hijack sessions by using | timing attacks targeting the session id. Session ids are usually | stored and indexed in a database that uses some kind of scheme for | speeding up lookups of that session id. By carefully measuring the | amount of time it takes to look up a session, an attacker may be able | to find a valid session id and hijack the session. The session id | itself may be generated randomly, but the way the session is indexed | by the backing store does not use a secure comparison. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782 [1] https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 [2] https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore