[Secure-testing-team] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 9 13:15:34 UTC 2013
Source: ruby-rack
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for ruby-rack.
CVE-2013-0262[0]:
Path sanitization information disclosure
CVE-2013-0263[1]:
Timing attack in cookie sessions
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Patches/upstream commits are referenced in the security tracker.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-0262
[1] http://security-tracker.debian.org/tracker/CVE-2013-0263
Please adjust the affected versions in the BTS as needed.
Note: According to the red hat bugtracker for CVE-2013-0262 only
versions after 1.4.x are affected, for CVE-2013-0263 all previous
versions. Could you please double check this, and mark
accordingly?
Regards,
Salvatore
More information about the Secure-testing-team
mailing list