James Tucker (raggi) reports: CVE: CVE-2013-0263 Software: Rack (rack.github.com) Type of vulnerability: Timing attack, leading to potential RCE Vulnerable code: https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149 Patch: https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 Versions affected: All prior versions. Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2 Reporter: Ben Murphy Reference: http://seclists.org/oss-sec/2013/q1/271
Created rubygem-rack tracking bugs for this issue Affects: epel-all [bug 909088]
Created rubygem-rack tracking bugs for this issue Affects: fedora-all [bug 909091]
Created attachment 696259 [details] Modified patch for rack 1.3.0 I had to backport the digest_match? and secure_compare functions. It's pretty trivial.
Upstream commits for rack 1.3 are: https://github.com/rack/rack/commit/feea59c1abacd455c222bfee67541b1078378929 https://github.com/rack/rack/commit/26c8500e9c49a0e625e1bd8d7158cabdfa2e17ae
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0638 https://rhn.redhat.com/errata/RHSA-2013-0638.html
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
rubygem-rack-1.4.0-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-rack-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.