CVE-2013-0263

NameCVE-2013-0263
DescriptionRack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2783-1
Debian Bugs700226

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye (security), bullseye2.1.4-3+deb11u2fixed
bookworm, bookworm (security)2.2.6.4-1+deb12u1fixed
sid, trixie2.2.7-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
librack-rubysourcesqueeze1.1.0-4+squeeze1DSA-2783-1
librack-rubysource(unstable)(unfixed)700226
ruby-racksource(unstable)1.4.1-2.1700226

Notes

https://bugzilla.suse.com/show_bug.cgi?id=802794
Patches in git, commits 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and 9a81b961457805f6d1a5c275d053068440421e11

Search for package or bug name: Reporting problems