DescriptionRack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs700226
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
librack-ruby (PTS)squeeze, squeeze (security)1.1.0-4+squeeze2fixed
squeeze (lts)1.1.0-4+squeeze3fixed
ruby-rack (PTS)wheezy, wheezy (security)1.4.1-2.1+deb7u1fixed
jessie, jessie (security)1.5.2-3+deb8u1fixed
stretch, sid1.6.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Patches in git, commits 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and 9a81b961457805f6d1a5c275d053068440421e11

Search for package or bug name: Reporting problems