Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1495.2 librack-ruby security update 25 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: librack-ruby Publisher: Debian Operating System: Debian GNU/Linux 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-0263 CVE-2013-0184 CVE-2013-0183 CVE-2011-5036 Reference: ESB-2013.0445 ESB-2013.0377 ESB-2013.0271 ESB-2013.0267 Original Bulletin: http://www.debian.org/security/2013/dsa-2783 Revision History: October 25 2013: Added CVE-2013-0183 October 22 2013: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - -------------------------------------------------------------------------- Debian Security Advisory DSA-2783-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 24, 2013 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : librack-ruby Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263 Debian Bug : 653963 698440 700226 The update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183. The patch applied breaks rails applications like redmine (see Debian Bug #727187). Updated packages are available to address this problem. For reference, the original advisory text follows: Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities: CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CVE-2013-0184 Vulnerability in Rack::Auth::AbstractRequest allows remote attackers to cause a denial of service via unknown vectors. CVE-2013-0263 Rack::Session::Cookie allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. For the oldstable distribution (squeeze), these problems have been fixed in version 1.1.0-4+squeeze1. The stable, testing and unstable distributions do not contain the librack-ruby package. They have already been addressed in version 1.4.1-2.1 of the ruby-rack package. We recommend that you upgrade your librack-ruby packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSaXS+AAoJEAVMuPMTQ89EmmEP/jR1XHtOt+qIbRe68DkmR3T+ c13FpFVTh2Q2jGiPWtLeUox25Zr6XN3ZtOVlOXbJpJbT51rFqf5KeVU+2EO9bukA /UIvMmU7SNqE14vmCLBhhZfbjzlB7phtVtfqY2SMryeRW0KV8L2daljtSzJpb36D O6tRdCaS1O6LsNoCu4gV5o1j9sS7HenoG7f3zyXlPQvPOLkbqZoZseJkG5rlrFmu z8TYVxPLXalAOSYRa09ckJm9e5L91/zl3JXKbB4Amn/sjLrE/3aT0ipFX2FHNVCb IRIlyTRIcrfKzuPabGwf/HdJDKu3LqeoJXjc9OytT5XHoBzHyMRg3imI/evPInUB r0F14/mCZgI7R7HWRYL9YI7oI3M1SLXXoVjT04dZJWFkIuetypfeNAn7gmWE+B5K iX8OqswZceOj9FTJuDxZAur9nowc9leDP9xXwlpa10z6N380ax3vrYRhXWwaW5io tuq5YTQN9tW3N2L0oDTmZQVCZFHqJMojEq/2rogAymBIp4TPvxrSEn0p9kHpfrur 8+/QKYPmGXZ7SXXxlnPQDrqhFAcsobl62+obfuFXOquC+J+Snk5JJQ3I0on2qq4X 6ZqfX4bA5IGnA2cohar5QpyE4QY0Rrc8EnylNkkZufLbhwin+eIYwHXz3Dbuj8uX PfBHzdV0zkVpegKYbiBw =HGaa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUmmjfxLndAQH1ShLAQK8Zw//Q9MhTBJxyQpRsJwJD+q//jdr46i5Gb+D uS3RJOrttyYeDlDivlgLw+Gi3ux4bYAS9yVNbU8sGtp6Ocx+cpZa+CYP1Xd4tzay KXkpc6Sl+GJP/1ZCkLQXpSWcrREZYK6RMBn4k1JAamlUhl3/SDgNK217LtW5FJtV NIyPOoz8jpOq6qtIJgoyJsEvIa/sU1TvCEuY2nyN2ksNpXP+KlBj/JYCfwS46QDI 3sDSyplDSVFXMSWMkSojk3uWWo4lPmtk6bRYh/R6BHIq2KD+7BH/9CtEtsqNMg/Y oI1JtDoqQJL+rLd1X2Q7XfTCAW7mWjtHCaJj+NyDaUJs6db0vNRpT0jtVJ+Ma+Pa dtfCCLrCyhpNX+YFTAjK4Sh5/lb0INIf8Y+/EZPg/ppsSmmyACr8VDnU2NmNmRFV iXZDgh4KTUlJRJ1vMJpaoNdc0c1KZHsKHbFakv3n4IKbwovcwvFm20TR9MFKjOuo tURF2w5sEtMiDdfNvD43s2KsFbDpzPZ+ChymA/Zql6ByZbcRxqeSZVT25u3F7vts nmJJJ9+qfx0nMoTDuoUHswkUiHa0yxOPjPba3A6u99sg7UbRYIyRxa1wzH9+ayHy eVUBWfqqHKHetsjOKg9RDgdjQgsht+2lkLso8GoZo0gbPNKzIPTyuSynDmtmjKMZ unGa4+nPWCk= =RmK3 -----END PGP SIGNATURE-----