| Name | CVE-2013-0263 |
| Description | Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-2783-1 |
| Debian Bugs | 700226 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ruby-rack (PTS) | jessie, jessie (lts) | 1.5.2-3+deb8u4 | fixed |
| stretch (security) | 1.6.4-4+deb9u2 | fixed | |
| stretch (lts), stretch | 1.6.4-4+deb9u6 | fixed | |
| buster | 2.0.6-3 | fixed | |
| buster (security) | 2.0.6-3+deb10u4 | fixed | |
| bullseye (security), bullseye | 2.1.4-3+deb11u1 | fixed | |
| bookworm | 2.2.6.4-1 | fixed | |
| trixie | 2.2.7-1 | fixed | |
| sid | 2.2.7-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| librack-ruby | source | squeeze | 1.1.0-4+squeeze1 | DSA-2783-1 | ||
| librack-ruby | source | (unstable) | (unfixed) | 700226 | ||
| ruby-rack | source | (unstable) | 1.4.1-2.1 | 700226 |
https://bugzilla.suse.com/show_bug.cgi?id=802794
Patches in git, commits 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and 9a81b961457805f6d1a5c275d053068440421e11