CVE-2013-0263
Published: 8 February 2013
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby-rack Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
(precise was needed)
|
|
| quantal |
Ignored
(reached end-of-life)
|
|
| raring |
Ignored
(reached end-of-life)
|
|
| saucy |
Released
(1.5.2-1)
|
|
| trusty |
Released
(1.5.2-1)
|
|
| upstream |
Released
(1.3.10, 1.4.5, 1.5.2)
|
|
| utopic |
Released
(1.5.2-1)
|
|
| vivid |
Released
(1.5.2-1)
|
|
| wily |
Released
(1.5.2-1)
|
|
| xenial |
Released
(1.5.2-1)
|
|
| yakkety |
Released
(1.5.2-1)
|
|
| zesty |
Released
(1.5.2-1)
|
|
|
Patches: upstream: https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 upstream: https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 |
||