MGASA-2020-0252 - Updated ruby-rack packages fix security vulnerability

Publication date: 10 Jun 2020
URL: https://advisories.mageia.org/MGASA-2020-0252.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-8161,
     CVE-2019-16782

Updated ruby-rack packages fix security vulnerabilities:

There's a possible information leak / session hijack vulnerability in
Rack(RubyGem rack). Attackers may be able to find and hijack sessions
by using timing attacks targeting the session id. Session ids are usually
stored and indexed in a database that uses some kind of scheme for
speeding up lookups of that session id. By carefully measuring the amount
of time it takes to look up a session, an attacker may be able to find a
valid session id and hijack the session. The session id itself may be
generated randomly, but the way the session is indexed by the backing
store does not use a secure comparison (CVE-2019-16782).

If certain directories exist in a director that is managed by
Rack::Directory, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified
in the Rack::Directory initializer (CVE-2020-8161).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26688
- https://bugs.mageia.org/show_bug.cgi?id=25915
- https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/
- https://www.debian.org/lts/security/2020/dla-2216
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8161
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782

SRPMS:
- 7/core/ruby-rack-2.0.8-1.mga7