There is a possible information leak / session hijacking vulnerability
in Rack. This vulnerability has been assigned the CVE identifier
Versions Affected: All.
Not affected: None.
Fixed Versions: 1.6.12, 2.0.8
There's a possible information leak / session hijack vulnerability in
Rack. Attackers may be able to find and hijack sessions by using timing
attacks targeting the session id. Session ids are usually stored and
indexed in a database that uses some kind of scheme for speeding up
lookups of that session id. By carefully measuring the amount of time it
takes to look up a session, an attacker may be able to find a valid
session id and hijack the session.
The session id itself may be generated randomly, but the way the session
is indexed by the backing store does not use a secure comparison.
The session id stored in a cookie is the same id that is used when
querying the backing session storage engine. Most storage mechanisms
(for example a database) use some sort of indexing in order to speed up
the lookup of that id. By carefully timing requests and session lookup
failures, an attacker may be able to perform a timing attack to
determine an existing session id and hijack that session.
The 1.6.12 and 2.0.8 releases are available at the normal locations.
There are no known workarounds.
rack 1.6.12 and 2.0.8 have been added.
This bug also requires new rails releases to leverage the changes in dev-ruby/rack. Rails 188.8.131.52 and Rails 184.108.40.206 have been released with fixes.
rails 220.127.116.11 and 18.104.22.168 have been added
@maintainer(s), again, thanks for the verbosity - it does help when keeping track of the versions! Tree is clean.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No
Thank you all for you work.
Closing as [noglsa].