FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-0263

This CVE name corresponds to:

Entered Topic
2013-02-17 Ruby Rack Gem -- Multiple Issues

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2013-0263 at cve.mitre.org

Details

Type Candidate
Name CVE-2013-0263
Phase Assigned(20121206)

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

References

Source Reference
MISC https://bugzilla.redhat.com/show_bug.cgi?id=909071
MISC https://gist.github.com/codahale/f9f3781f7b54985bee94
MISC https://twitter.com/coda/statuses/299732877745197056
CONFIRM http://rack.github.com/
CONFIRM https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
CONFIRM https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
CONFIRM https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
CONFIRM https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
DEBIAN DSA-2783
REDHAT RHSA-2013:0686
SUSE openSUSE-SU-2013:0462
OSVDB 89939
SECUNIA 52033
SECUNIA 52134
SECUNIA 52774

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.