svn commit: r521360 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Sun Dec 29 12:58:30 UTC 2019
Author: sunpoet
Date: Sun Dec 29 12:58:28 2019
New Revision: 521360
URL: https://svnweb.freebsd.org/changeset/ports/521360
Log:
Document rubygem-rack vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Dec 29 12:58:21 2019 (r521359)
+++ head/security/vuxml/vuln.xml Sun Dec 29 12:58:28 2019 (r521360)
@@ -58,6 +58,46 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="66e4dc99-28b3-11ea-8dde-08002728f74c">
+ <topic>rack -- information leak / session hijack vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-rack</name>
+ <range><ge>2.0.0</ge><lt>2.0.8,3</lt></range>
+ </package>
+ <package>
+ <name>rubygem-rack16</name>
+ <range><ge>1.6.0</ge><lt>1.6.12</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>National Vulnerability Database:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2019-16782">
+ <p>There's a possible information leak / session hijack vulnerability in
+ Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12
+ and 2.0.8. Attackers may be able to find and hijack sessions by using
+ timing attacks targeting the session id. Session ids are usually stored
+ and indexed in a database that uses some kind of scheme for speeding up
+ lookups of that session id. By carefully measuring the amount of time
+ it takes to look up a session, an attacker may be able to find a valid
+ session id and hijack the session. The session id itself may be
+ generated randomly, but the way the session is indexed by the backing
+ store does not use a secure comparison.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2019-16782</url>
+ <url>https://github.com/rack/rack/blob/master/CHANGELOG.md</url>
+ <cvename>CVE-2019-16782</cvename>
+ </references>
+ <dates>
+ <discovery>2019-12-08</discovery>
+ <entry>2019-12-29</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e4d9dffb-2a32-11ea-9693-e1b3f6feec79">
<topic>OpenEXR -- heap buffer overflow, and out-of-memory bugs</topic>
<affects>
More information about the svn-ports-all
mailing list