Debian Security Advisory 2783-1

Debian Security Advisory 2783-1: Posted Oct 21, 2013; Authored by Debian | Site debian.org; Debian Linux Security Advisory 2783-1 - Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface.; tags | advisory, vulnerability, ruby; systems | linux, debian; advisories | CVE-2011-5036, CVE-2013-0184, CVE-2013-0263; MD5 | ce9ddbd8e4a29924262b3801b98f701f; Download | Favorite | Comments (0)

Debian Security Advisory 2783-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2783-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
October 21, 2013                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : librack-ruby
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-5036 CVE-2013-0184 CVE-2013-0263
Debian Bug     : 653963 698440 700226

Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilites and Exposures project
identifies the following vulnerabilities:

CVE-2011-5036

    Rack computes hash values for form parameters without restricting
    the ability to trigger hash collisions predictably, which allows
    remote attackers to cause a denial of service (CPU consumption)
    by sending many crafted parameters. 

CVE-2013-0184

    Vulnerability in Rack::Auth::AbstractRequest allows remote
    attackers to cause a denial of service via unknown vectors.

CVE-2013-0263

    Rack::Session::Cookie allows remote attackers to guess the
    session cookie, gain privileges, and execute arbitrary code via a
    timing attack involving am HMAC comparison function that does not
    run in constant time. 

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.

The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.

We recommend that you upgrade your librack-ruby packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSZXtbAAoJEFb2GnlAHawE5lUH/0ARXRuKQndYHr3fFN3LHw+Q
VKoG9kWicfHbffdg1VwUc0KCqe7OM6DX6g3pP+kU3Ql0LORKeRWXtCP0JR1vLogQ
OypAqHJCTlzVS0UweB5C7XMyA4CRVFaBJB5R40H1PAmXBGjQts3Dn8/41GOAZ58I
+c3apITFozjo4g/VsbiVJO0+jpI3CrRSzE00ebnIAQocm87l+oJj7tIVSJh8xVer
TU8KULsre/7mlKNJIMANMrTs0iOMOYL0DXpwmcMGRBkXKijsB52cqU1Snomz31Er
Sz+KPUED+VW+xYPSioWRxaUB2Vl50CpHgE7IMDo2poaCnOfV8RPfELZQzaRf9TQ=
=Xglb
-----END PGP SIGNATURE-----

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Red Hat 50 files
Ubuntu 43 files
Debian 26 files
HP 11 files
Jing Wang 10 files
Mandriva 9 files
Steffen Roesemann 9 files
Benjamin Kunz Mejri 9 files
hadji samir 7 files
Denis Andzakovic 7 files

File Archives

Systems

AIX (386)
Apple (1,212)
BSD (309)
Cisco (1,522)
Debian (4,648)
Fedora (1,665)
FreeBSD (1,113)
Gentoo (2,980)
HPUX (795)
iOS (63)
iPhone (102)
IRIX (219)
Juniper (66)
Linux (26,720)
Mac OS X (527)
Mandriva (2,901)
NetBSD (245)
OpenBSD (428)
RedHat (4,215)
Slackware (595)
Solaris (1,540)
SUSE (1,440)
Ubuntu (4,052)
UNIX (7,515)
UnixWare (157)
Windows (4,537)
Other

Debian Security Advisory 2783-1

Debian Security Advisory 2783-1

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Debian Security Advisory 2783-1

Share This

Debian Security Advisory 2783-1

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems