Debian: DSA-2783-2 Critical: Librack-Ruby DoS Issues Fixed
debian
October 24, 2013
The update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183
Topics Covered
Summary
For reference, the original advisory text follows:
Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilites and Exposures project
identifies the following vulnerabilities:
CVE-2011-5036
Rack computes hash values for form parameters without restricting
the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters.
CVE-2013-0184
Vulnerability in Rack::Auth::AbstractRequest allows remote
attackers to cause a denial of service via unknown vectors.
CVE-2013-0263
Rack::Session::Cookie allows remote attackers to guess the
session cookie, gain privileges, and execute arbitrary code via a
timing attack involving am HMAC comparison function that does not
run in constant time.
For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.
The stable, testing and unstable distributi...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: librack-ruby
CVE ID: CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!