Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 661454 (CVE-2018-1000119)

Summary: <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF token checking
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Low    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.securityfocus.com/archive/1/542153/30/0/threaded
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2018-07-18 05:02:42 UTC 
(http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2018-1000119)

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

note: there is already a bump request at bug 645364

Gentoo Security Padawan
(domhnall)
Comment 1 Hans de Graaff gentoo-dev Security 2018-07-18 05:47:44 UTC 
dev-ruby/rack-protection-1.5.5 has been added. we already have fixed versions for the 2.x series.
Comment 2 Hans de Graaff gentoo-dev Security 2018-07-18 05:49:52 UTC 
amd64 stable
Comment 3 Hans de Graaff gentoo-dev Security 2018-07-18 05:50:45 UTC 
Cleanup done.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-11-24 22:15:57 UTC 
tree is clean