Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661454 (CVE-2018-1000119) - <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF token checking
Summary: <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF tok...
Status: RESOLVED FIXED
Alias: CVE-2018-1000119
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
URL: https://www.securityfocus.com/archive...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-18 05:02 UTC by D'juan McDonald (domhnall)
Modified: 2018-11-24 22:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-07-18 05:02:42 UTC
(http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2018-1000119)

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

note: there is already a bump request at bug 645364

Gentoo Security Padawan
(domhnall)
Comment 1 Hans de Graaff gentoo-dev 2018-07-18 05:47:44 UTC
dev-ruby/rack-protection-1.5.5 has been added. we already have fixed versions for the 2.x series.
Comment 2 Hans de Graaff gentoo-dev 2018-07-18 05:49:52 UTC
amd64 stable
Comment 3 Hans de Graaff gentoo-dev 2018-07-18 05:50:45 UTC
Cleanup done.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-24 22:15:57 UTC
tree is clean