Bug 522162 (CVE-2009-3086) - CVE-2009-3086 rubygem-actionpack: Message digest forgery
Summary: CVE-2009-3086 rubygem-actionpack: Message digest forgery
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://weblog.rubyonrails.org/2009/9/...
Whiteboard: impact=moderate,public=20090904,repor...
Depends On: 538231 538232 961066
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-09 15:57 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:49 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 17:45:09 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-09-09 15:57:18 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3086 to
the following vulnerability:

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x
before 2.3.4, leaks information about the complexity of message-digest
signature verification in the cookie store, which might allow remote
attackers to forge a digest via multiple attempts.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
http://www.vupen.com/english/advisories/2009/2544

Upstream patches:
-----------------
http://weblog.rubyonrails.org/assets/2009/9/4/2-2-timing-weakness.patch
http://weblog.rubyonrails.org/assets/2009/9/4/2-3-timing-weakness.patch

Comment 1 Jan Lieskovsky 2009-09-09 16:02:01 UTC
This issue affects the version of rubygem-actionpack, as shipped 
with Fedora release of 10 (and potentially also with 11 -- didn't check).

Please fix.

Comment 3 Jeroen van Meeuwen 2010-04-30 12:34:26 UTC
I've submitted a build of 2.1.1 with the 2.2.x patch applied for review, I'll submit it to epel-5-updates stable or testing depending on today's feedback;

http://koji.fedoraproject.org/koji/taskinfo?taskID=2148375

Comment 4 Vincent Danen 2011-06-14 19:58:26 UTC
It doesn't look like rubygem-actionpack-2.1.1-6.el5 was ever submitted to EPEL5; when I look for the latest release version I see -5.el5.  Do you still intend to submit that fix?

Comment 5 Vincent Danen 2013-05-08 17:43:00 UTC
Created rubygem-actionpack tracking bugs for this issue

Affects: epel-5 [bug 961066]

Comment 6 Vincent Danen 2013-05-08 17:45:09 UTC
Tracking bug filed for EPEL5 so this can be followed up there; no need to keep this open when it's fixed everywhere else for the last three years.


Note You need to log in before you can comment on or make changes to this bug.