A flaw was found in rack-protection. Versions prior to 2.0.0.rc3 of the package are vulnerable to Timing Attack due to time-variable comparison of signatures. A malicious user can guess a valid signature one char at a time by considering the time it takes a signature validation to fail. References: https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470 https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395 Patch: https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
Created rubygem-rack-protection tracking bugs for this issue: Affects: epel-7 [bug 1534028] Affects: fedora-26 [bug 1534029]
Created pcs tracking bugs for this issue: Affects: openstack-rdo [bug 1554872]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1060 https://access.redhat.com/errata/RHSA-2018:1060
Statement: This issue affects the versions of rubygem-rack-protection as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.