Back to bug 1301933
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Adam Mariš | 2016-01-26 12:10:10 UTC | Depends On | 1301934 | |
| Adam Mariš | 2016-01-26 12:10:19 UTC | Depends On | 1301935 | |
| Adam Mariš | 2016-01-26 13:32:53 UTC | Summary | CVE-2015-7576 rubygem-rails: Timing attack vulnerability in basic authentication in Action Controller | CVE-2015-7576 rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller |
| Whiteboard | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,sam-1/rubygem-rails=new,sam-1/ruby193-rubygem-rails=new,cfme-5.2/ruby193-rubygem-rails=new,cfme-5.3/ruby193-rubygem-rails=new,rhscl-2/rh-ror41-ruby193-rubygem-rails=new,rhscl-2/ror40-rubygem-rails=new,rhscl-2/ruby193-rubygem-rails=new,openshift-1/ruby193-rubygem-rails=affected,fedora-all/rubygem-rails=affected | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,sam-1/rubygem-actionpack=new,sam-1/ruby193-rubygem-actionpack=new,cfme-5.2/ruby193-rubygem-actionpack=new,cfme-5.3/ruby193-rubygem-actionpack=new,rhscl-2/rh-ror41-rubygem-actionpack=new,rhscl-2/ror40-rubygem-actionpack=new,rhscl-2/ruby193-rubygem-actionpack=new,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected,sam-1/rubygem-activesupport=new,sam-1/ruby193-rubygem-activesupport=new,cfme-5.2/ruby193-rubygem-activesupport=new,cfme-5.3/ruby193-rubygem-activesupport=new,rhscl-2/rh-ror41-rubygem-activesupport=new,rhscl-2/ror40-rubygem-activesupport=new,rhscl-2/ruby193-rubygem-activesupport=new,openshift-1/ruby193-rubygem-activesupport=affected,openshift-1/rubygem-activesupport=affected,fedora-all/rubygem-activesupport=affected | ||
| Adam Mariš | 2016-01-26 13:54:13 UTC | Depends On | 1301995 | |
| Adam Mariš | 2016-01-26 13:54:19 UTC | Depends On | 1301996 | |
| Adam Mariš | 2016-01-26 13:54:31 UTC | Depends On | 1301997 | |
| Adam Mariš | 2016-01-26 13:54:37 UTC | Depends On | 1301998 | |
| Adam Mariš | 2016-01-26 13:54:45 UTC | Depends On | 1301999 | |
| Adam Mariš | 2016-01-26 14:08:12 UTC | Blocks | 1302006 | |
| Tomas Hoger | 2016-02-05 14:26:45 UTC | Whiteboard | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,sam-1/rubygem-actionpack=new,sam-1/ruby193-rubygem-actionpack=new,cfme-5.2/ruby193-rubygem-actionpack=new,cfme-5.3/ruby193-rubygem-actionpack=new,rhscl-2/rh-ror41-rubygem-actionpack=new,rhscl-2/ror40-rubygem-actionpack=new,rhscl-2/ruby193-rubygem-actionpack=new,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected,sam-1/rubygem-activesupport=new,sam-1/ruby193-rubygem-activesupport=new,cfme-5.2/ruby193-rubygem-activesupport=new,cfme-5.3/ruby193-rubygem-activesupport=new,rhscl-2/rh-ror41-rubygem-activesupport=new,rhscl-2/ror40-rubygem-activesupport=new,rhscl-2/ruby193-rubygem-activesupport=new,openshift-1/ruby193-rubygem-activesupport=affected,openshift-1/rubygem-activesupport=affected,fedora-all/rubygem-activesupport=affected | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=new,sam-1/ruby193-rubygem-actionpack=new,cfme-5.2/ruby193-rubygem-actionpack=new,cfme-5.3/ruby193-rubygem-actionpack=new,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected |
| Ján Rusnačko | 2016-02-09 13:23:59 UTC | CC | jrusnack | |
| Doc Text | A flaw was found in the way Action Controller compares user names and passwords in basic authentication authorization code. Time taken to compare strings could differ and attacker could use this timing side channel to perform attack on usernames and passwords. | |||
| Whiteboard | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=new,sam-1/ruby193-rubygem-actionpack=new,cfme-5.2/ruby193-rubygem-actionpack=new,cfme-5.3/ruby193-rubygem-actionpack=new,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=wontfix,sam-1/ruby193-rubygem-actionpack=wontfix,cfme-5.2/ruby193-rubygem-actionpack=affected,cfme-5.3/ruby193-rubygem-actionpack=affected,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected | ||
| Tomas Hoger | 2016-02-10 13:30:06 UTC | Depends On | 1306275 | |
| Tomas Hoger | 2016-02-10 13:30:13 UTC | Depends On | 1306276 | |
| Tomas Hoger | 2016-02-10 13:30:19 UTC | Depends On | 1306277 | |
| Tomas Hoger | 2016-02-10 13:30:27 UTC | Depends On | 1306278 | |
| Tomas Hoger | 2016-02-10 13:30:31 UTC | Depends On | 1306279 | |
| Tomas Hoger | 2016-02-10 13:30:41 UTC | Depends On | 1306281 | |
| Ján Rusnačko | 2016-02-10 15:01:57 UTC | Whiteboard | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=wontfix,sam-1/ruby193-rubygem-actionpack=wontfix,cfme-5.2/ruby193-rubygem-actionpack=affected,cfme-5.3/ruby193-rubygem-actionpack=affected,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=wontfix,sam-1/ruby193-rubygem-actionpack=wontfix,cfme-5.2/ruby193-rubygem-actionpack=wontfix,cfme-5.3/ruby193-rubygem-actionpack=wontfix,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected |
| Joe Rafaniello | 2016-02-10 15:54:34 UTC | CC | jrafanie | |
| Martin Prpič | 2016-02-24 09:33:49 UTC | Doc Text | A flaw was found in the way Action Controller compares user names and passwords in basic authentication authorization code. Time taken to compare strings could differ and attacker could use this timing side channel to perform attack on usernames and passwords. | A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. |
| Tomas Hoger | 2016-03-15 21:21:58 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-03-15 17:21:58 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:43:28 UTC | Whiteboard | impact=low,public=20160125,reported=20160122,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,rhscl-2/ruby193-rubygem-actionpack=affected,rhscl-2/ror40-rubygem-actionpack=affected,rhscl-2/rh-ror41-rubygem-actionpack=affected,sam-1/rubygem-actionpack=wontfix,sam-1/ruby193-rubygem-actionpack=wontfix,cfme-5.2/ruby193-rubygem-actionpack=wontfix,cfme-5.3/ruby193-rubygem-actionpack=wontfix,openshift-1/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected | |
| Ondrej Soukup | 2021-06-02 06:13:26 UTC | CC | osoukup |
Back to bug 1301933