Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALMiPQDsdpi=KFoOyO9m7txEWSwuJRYQTxFzgEsT97eEEYebiQ@mail.gmail.com>
Date: Thu, 7 Feb 2013 19:34:47 -0800
From: James Tucker <raggi@...gle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-0263: Rack all versions, Timing attack in cookie sessions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE
Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch: https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
and https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iQEcBAEBAgAGBQJRFHIMAAoJELphsezQxofDmlwH/1vqc5a8UoyyqQJW9FcWisKt
+M/2xboWI5tXJ/XYEzp1hLenTEmUVRK0YpezgROCJPCTCi0RkRW00cHW8Jo7vDs1
8xxId6vlCDAgtWvJX3oRlCIQ7ot/CrcDFvTtLDjtdgkzydv534GUMAPiZphF2Mrz
TuU0LVCKx8P2GYnT0wid6bmgLhtHS9XYWTN+K/QRmwqJlhMMeK061CzhTwPESWyE
9xgwH0v7W3HpAo5NAA227/Z5i0s89tNCYHbTrt6B75K0MRaKbsTszLk0E0H3qBg9
rvJoaXOv2Z9IqvvZMpOR/Gg89vIE1LXtTZixR3BgJQazLKFPH1wByy7jMlzC3F0=
=wEzk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.