661454 – (CVE-2018-1000119) <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF token checking

Bug 661454 (CVE-2018-1000119) - <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF token checking

Summary: <dev-ruby/rack-protection-1.5.5: timing attack vulnerability in the CSRF tok...

Status:	RESOLVED FIXED

Alias:	CVE-2018-1000119

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Low minor (vote)
Assignee:	Gentoo Security

URL:	https://www.securityfocus.com/archive...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-07-18 05:02 UTC by D'juan McDonald (domhnall)
Modified:	2018-11-24 22:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2018-07-18 05:02:42 UTC

(http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2018-1000119)

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

note: there is already a bump request at bug 645364

Gentoo Security Padawan
(domhnall)

Comment 1 Hans de Graaff gentoo-dev

2018-07-18 05:47:44 UTC

dev-ruby/rack-protection-1.5.5 has been added. we already have fixed versions for the 2.x series.

Comment 2 Hans de Graaff gentoo-dev

2018-07-18 05:49:52 UTC

amd64 stable

Comment 3 Hans de Graaff gentoo-dev

2018-07-18 05:50:45 UTC

Cleanup done.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2018-11-24 22:15:57 UTC

tree is clean