Operating System:

[Debian]

Published:

25 October 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2013.1495.2
                       librack-ruby security update
                              25 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           librack-ruby
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0263 CVE-2013-0184 CVE-2013-0183
                   CVE-2011-5036  

Reference:         ESB-2013.0445
                   ESB-2013.0377
                   ESB-2013.0271
                   ESB-2013.0267

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2783

Revision History:  October 25 2013: Added CVE-2013-0183
                   October 22 2013: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - --------------------------------------------------------------------------
Debian Security Advisory DSA-2783-2                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
October 24, 2013                       http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : librack-ruby
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263
Debian Bug     : 653963 698440 700226

The update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183.
The patch applied breaks rails applications like redmine (see Debian Bug
#727187). Updated packages are available to address this problem.

For reference, the original advisory text follows:

Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilites and Exposures project
identifies the following vulnerabilities:

CVE-2011-5036

    Rack computes hash values for form parameters without restricting
    the ability to trigger hash collisions predictably, which allows
    remote attackers to cause a denial of service (CPU consumption)
    by sending many crafted parameters.

CVE-2013-0184

    Vulnerability in Rack::Auth::AbstractRequest allows remote
    attackers to cause a denial of service via unknown vectors.

CVE-2013-0263

    Rack::Session::Cookie allows remote attackers to guess the
    session cookie, gain privileges, and execute arbitrary code via a
    timing attack involving am HMAC comparison function that does not
    run in constant time.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.

The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.

We recommend that you upgrade your librack-ruby packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSaXS+AAoJEAVMuPMTQ89EmmEP/jR1XHtOt+qIbRe68DkmR3T+
c13FpFVTh2Q2jGiPWtLeUox25Zr6XN3ZtOVlOXbJpJbT51rFqf5KeVU+2EO9bukA
/UIvMmU7SNqE14vmCLBhhZfbjzlB7phtVtfqY2SMryeRW0KV8L2daljtSzJpb36D
O6tRdCaS1O6LsNoCu4gV5o1j9sS7HenoG7f3zyXlPQvPOLkbqZoZseJkG5rlrFmu
z8TYVxPLXalAOSYRa09ckJm9e5L91/zl3JXKbB4Amn/sjLrE/3aT0ipFX2FHNVCb
IRIlyTRIcrfKzuPabGwf/HdJDKu3LqeoJXjc9OytT5XHoBzHyMRg3imI/evPInUB
r0F14/mCZgI7R7HWRYL9YI7oI3M1SLXXoVjT04dZJWFkIuetypfeNAn7gmWE+B5K
iX8OqswZceOj9FTJuDxZAur9nowc9leDP9xXwlpa10z6N380ax3vrYRhXWwaW5io
tuq5YTQN9tW3N2L0oDTmZQVCZFHqJMojEq/2rogAymBIp4TPvxrSEn0p9kHpfrur
8+/QKYPmGXZ7SXXxlnPQDrqhFAcsobl62+obfuFXOquC+J+Snk5JJQ3I0on2qq4X
6ZqfX4bA5IGnA2cohar5QpyE4QY0Rrc8EnylNkkZufLbhwin+eIYwHXz3Dbuj8uX
PfBHzdV0zkVpegKYbiBw
=HGaa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUmmjfxLndAQH1ShLAQK8Zw//Q9MhTBJxyQpRsJwJD+q//jdr46i5Gb+D
uS3RJOrttyYeDlDivlgLw+Gi3ux4bYAS9yVNbU8sGtp6Ocx+cpZa+CYP1Xd4tzay
KXkpc6Sl+GJP/1ZCkLQXpSWcrREZYK6RMBn4k1JAamlUhl3/SDgNK217LtW5FJtV
NIyPOoz8jpOq6qtIJgoyJsEvIa/sU1TvCEuY2nyN2ksNpXP+KlBj/JYCfwS46QDI
3sDSyplDSVFXMSWMkSojk3uWWo4lPmtk6bRYh/R6BHIq2KD+7BH/9CtEtsqNMg/Y
oI1JtDoqQJL+rLd1X2Q7XfTCAW7mWjtHCaJj+NyDaUJs6db0vNRpT0jtVJ+Ma+Pa
dtfCCLrCyhpNX+YFTAjK4Sh5/lb0INIf8Y+/EZPg/ppsSmmyACr8VDnU2NmNmRFV
iXZDgh4KTUlJRJ1vMJpaoNdc0c1KZHsKHbFakv3n4IKbwovcwvFm20TR9MFKjOuo
tURF2w5sEtMiDdfNvD43s2KsFbDpzPZ+ChymA/Zql6ByZbcRxqeSZVT25u3F7vts
nmJJJ9+qfx0nMoTDuoUHswkUiHa0yxOPjPba3A6u99sg7UbRYIyRxa1wzH9+ayHy
eVUBWfqqHKHetsjOKg9RDgdjQgsht+2lkLso8GoZo0gbPNKzIPTyuSynDmtmjKMZ
unGa4+nPWCk=
=RmK3
-----END PGP SIGNATURE-----