A flaw was found in rack-protection. Versions prior to 2.0.0.rc3 of the package are vulnerable to Timing Attack due to time-variable comparison of signatures. A malicious user can guess a valid signature one char at a time by considering the time it takes a signature validation to fail.
Created rubygem-rack-protection tracking bugs for this issue:
Affects: epel-7 [bug 1534028]
Affects: fedora-26 [bug 1534029]
Created pcs tracking bugs for this issue:
Affects: openstack-rdo [bug 1554872]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:1060 https://access.redhat.com/errata/RHSA-2018:1060
This issue affects the versions of rubygem-rack-protection as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.