Debian: DSA-2783-1: librack-ruby security update
Debian: DSA-2783-1: librack-ruby security update
Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities:
- ------------------------------------------------------------------------- Debian Security Advisory DSA-2783-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Thijs Kinkhorst October 21, 2013 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : librack-ruby Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-5036 CVE-2013-0184 CVE-2013-0263 Debian Bug : 653963 698440 700226 Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities: CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CVE-2013-0184 Vulnerability in Rack::Auth::AbstractRequest allows remote attackers to cause a denial of service via unknown vectors. CVE-2013-0263 Rack::Session::Cookie allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. For the oldstable distribution (squeeze), these problems have been fixed in version 1.1.0-4+squeeze1. The stable, testing and unstable distributions do not contain the librack-ruby package. They have already been addressed in version 1.4.1-2.1 of the ruby-rack package. We recommend that you upgrade your librack-ruby packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
