CVE-2013-0263

Priority
Description
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x
before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote
attackers to guess the session cookie, gain privileges, and execute
arbitrary code via a timing attack involving an HMAC comparison function
that does not run in constant time.
Notes
Package
Upstream:released (1.3.10, 1.4.5, 1.5.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [1.5.2-1])
Ubuntu 16.04 LTS (Xenial Xerus):released (1.5.2-1)
Patches:
Upstream:https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
Upstream:https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
More Information

Updated: 2019-12-05 21:02:13 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)