CVE-2018-1000119

NameCVE-2018-1000119
DescriptionSinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4247-1
Debian Bugs892250

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-rack-protectionsourcestretch1.5.3-2+deb9u1DSA-4247-1
ruby-rack-protectionsource(unstable)1.5.3-2.1892250

Notes

[jessie] - ruby-rack-protection <ignored> (Low prio package and low prio vulnerability according to RedHat)
[wheezy] - ruby-rack-protection <ignored> (Low prio package and low prio vulnerability according to RedHat)
https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470
https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
Search for package or bug name: Reporting problems