DSA-2783-2 librack-ruby -- severalID: oval:org.secpod.oval:def:601134 | Date: (C)2013-10-28 (M)2023-02-20 |
Class: PATCH | Family: unix |
The update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183. The patch applied breaks rails applications like redmine . Updated packages are available to address this problem. For reference, the original advisory text follows: Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities: CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service by sending many crafted parameters. CVE-2013-0184 Vulnerability in Rack::Auth::AbstractRequest allows remote attackers to cause a denial of service via unknown vectors. CVE-2013-0263 Rack::Session::Cookie allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time.