CVE-2013-0263 Information

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2 1.4.x before 1.4.5 1.3.x before 1.3.10 1.2.x before 1.2.8 and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie gain privileges and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Reference

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html http://rack.github.com/ http://rhn.redhat.com/errata/RHSA-2013-0686.html http://secunia.com/advisories/52033 http://secunia.com/advisories/52134 http://secunia.com/advisories/52774 http://www.debian.org/security/2013/dsa-2783 http://www.osvdb.org/89939 https://bugzilla.redhat.com/show_bug.cgi?id=909071 https://gist.github.com/codahale/f9f3781f7b54985bee94 https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J https://groups.google.com/forum/!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ https://groups.google.com/forum/!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ https://groups.google.com/forum/!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ https://groups.google.com/forum/!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ https://puppet.com/security/cve/cve-2013-0263 https://twitter.com/coda/statuses/299732877745197056