Control: clone -1 -2 Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Hi On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote: > hi, > > > For further information see: > > > [0] http://security-tracker.debian.org/tracker/CVE-2013-0262 > > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263 > > > Please adjust the affected versions in the BTS as needed. > > > Note: According to the red hat bugtracker for CVE-2013-0262 only > > versions after 1.4.x are affected, for CVE-2013-0263 all previous > > versions. Could you please double check this, and mark > > accordingly? > > With a quick look: > > the code which raises CVE-2013-0262 (calculate path depth sequentially) > was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not > affected. > > the code which raises CVE-2013-0263 (needs time string comparison) > also affects stable version: > https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49 > > This bts would have better to be split? thanks for the analysis! I'm cloning the bug and retitling both accordingly so that both CVE's can be tracked in separate bugs. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
