There is a possible information leak / session hijacking vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2019-16782. Versions Affected: All. Not affected: None. Fixed Versions: 1.6.12, 2.0.8 There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. Impact ------ The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. Releases -------- The 1.6.12 and 2.0.8 releases are available at the normal locations. Workarounds ----------- There are no known workarounds.
rack 1.6.12 and 2.0.8 have been added.
This bug also requires new rails releases to leverage the changes in dev-ruby/rack. Rails 5.2.4.1 and Rails 6.0.2.1 have been released with fixes.
rails 5.2.4.1 and 6.0.2.1 have been added
amd64 stable
hppa/sparc stable
x86 stable
arm stable
ia64 stable
s390 stable
ppc64 stable
ppc stable
Cleanup done.
@maintainer(s), again, thanks for the verbosity - it does help when keeping track of the versions! Tree is clean.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].