Debian: DSA-2783-1 Critical: Librack-Ruby Remote Access Denial Of Service
debian
October 21, 2013
Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface
Topics Covered
Summary
CVE-2011-5036
Rack computes hash values for form parameters without restricting
the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters.
CVE-2013-0184
Vulnerability in Rack::Auth::AbstractRequest allows remote
attackers to cause a denial of service via unknown vectors.
CVE-2013-0263
Rack::Session::Cookie allows remote attackers to guess the
session cookie, gain privileges, and execute arbitrary code via a
timing attack involving am HMAC comparison function that does not
run in constant time.
For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.
The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.
We recommend that you upgrade your librack-ruby packages.
Further information about Debian Security...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: librack-ruby
CVE ID: CVE-2011-5036 CVE-2013-0184 CVE-2013-0263
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!