diff options
| author | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-12-29 12:58:28 +0000 |
|---|---|---|
| committer | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-12-29 12:58:28 +0000 |
| commit | 391d196238df8bb574010221a37f065a81765e72 (patch) | |
| tree | 8022d662a2d561aa996ae26610354b709a4a75b4 /security | |
| parent | bbae62976349f5e5141061e33e104f35d31881d9 (diff) | |
Notes
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 502b814dae6b..83284607c19e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="66e4dc99-28b3-11ea-8dde-08002728f74c"> + <topic>rack -- information leak / session hijack vulnerability</topic> + <affects> + <package> + <name>rubygem-rack</name> + <range><ge>2.0.0</ge><lt>2.0.8,3</lt></range> + </package> + <package> + <name>rubygem-rack16</name> + <range><ge>1.6.0</ge><lt>1.6.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>National Vulnerability Database:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2019-16782"> + <p>There's a possible information leak / session hijack vulnerability in + Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 + and 2.0.8. Attackers may be able to find and hijack sessions by using + timing attacks targeting the session id. Session ids are usually stored + and indexed in a database that uses some kind of scheme for speeding up + lookups of that session id. By carefully measuring the amount of time + it takes to look up a session, an attacker may be able to find a valid + session id and hijack the session. The session id itself may be + generated randomly, but the way the session is indexed by the backing + store does not use a secure comparison.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nvd.nist.gov/vuln/detail/CVE-2019-16782</url> + <url>https://github.com/rack/rack/blob/master/CHANGELOG.md</url> + <cvename>CVE-2019-16782</cvename> + </references> + <dates> + <discovery>2019-12-08</discovery> + <entry>2019-12-29</entry> + </dates> + </vuln> + <vuln vid="e4d9dffb-2a32-11ea-9693-e1b3f6feec79"> <topic>OpenEXR -- heap buffer overflow, and out-of-memory bugs</topic> <affects> |