Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 7 Feb 2013 19:34:47 -0800
From: James Tucker <raggi@...gle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-0263: Rack all versions, Timing attack in cookie sessions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE
Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch: https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
and https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iQEcBAEBAgAGBQJRFHIMAAoJELphsezQxofDmlwH/1vqc5a8UoyyqQJW9FcWisKt
+M/2xboWI5tXJ/XYEzp1hLenTEmUVRK0YpezgROCJPCTCi0RkRW00cHW8Jo7vDs1
8xxId6vlCDAgtWvJX3oRlCIQ7ot/CrcDFvTtLDjtdgkzydv534GUMAPiZphF2Mrz
TuU0LVCKx8P2GYnT0wid6bmgLhtHS9XYWTN+K/QRmwqJlhMMeK061CzhTwPESWyE
9xgwH0v7W3HpAo5NAA227/Z5i0s89tNCYHbTrt6B75K0MRaKbsTszLk0E0H3qBg9
rvJoaXOv2Z9IqvvZMpOR/Gg89vIE1LXtTZixR3BgJQazLKFPH1wByy7jMlzC3F0=
=wEzk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.