Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2020-0252)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2020.0252

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2020-0252)

Resumen: The remote host is missing an update for the 'ruby-rack' package(s) announced via the MGASA-2020-0252 advisory.

Descripción: Summary:
The remote host is missing an update for the 'ruby-rack' package(s) announced via the MGASA-2020-0252 advisory.

Vulnerability Insight:
Updated ruby-rack packages fix security vulnerabilities:

There's a possible information leak / session hijack vulnerability in
Rack(RubyGem rack). Attackers may be able to find and hijack sessions
by using timing attacks targeting the session id. Session ids are usually
stored and indexed in a database that uses some kind of scheme for
speeding up lookups of that session id. By carefully measuring the amount
of time it takes to look up a session, an attacker may be able to find a
valid session id and hijack the session. The session id itself may be
generated randomly, but the way the session is indexed by the backing
store does not use a secure comparison (CVE-2019-16782).

If certain directories exist in a director that is managed by
Rack::Directory, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified
in the Rack::Directory initializer (CVE-2020-8161).

Affected Software/OS:
'ruby-rack' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2019-16782
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/
http://www.openwall.com/lists/oss-security/2019/12/19/3
http://www.openwall.com/lists/oss-security/2019/12/18/2
http://www.openwall.com/lists/oss-security/2019/12/18/3
http://www.openwall.com/lists/oss-security/2020/04/09/2
http://www.openwall.com/lists/oss-security/2020/04/08/1
SuSE Security Announcement: openSUSE-SU-2020:0214 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-8161
https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA
https://hackerone.com/reports/434404
https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html
https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html
https://usn.ubuntu.com/4561-1/

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2020.0252
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2020-0252)
Resumen:	The remote host is missing an update for the 'ruby-rack' package(s) announced via the MGASA-2020-0252 advisory.
Descripción:	Summary: The remote host is missing an update for the 'ruby-rack' package(s) announced via the MGASA-2020-0252 advisory. Vulnerability Insight: Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in Rack(RubyGem rack). Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison (CVE-2019-16782). If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer (CVE-2020-8161). Affected Software/OS: 'ruby-rack' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2019-16782 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/ http://www.openwall.com/lists/oss-security/2019/12/19/3 http://www.openwall.com/lists/oss-security/2019/12/18/2 http://www.openwall.com/lists/oss-security/2019/12/18/3 http://www.openwall.com/lists/oss-security/2020/04/09/2 http://www.openwall.com/lists/oss-security/2020/04/08/1 SuSE Security Announcement: openSUSE-SU-2020:0214 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html Common Vulnerability Exposure (CVE) ID: CVE-2020-8161 https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA https://hackerone.com/reports/434404 https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html https://usn.ubuntu.com/4561-1/
Copyright	Copyright (C) 2022 Greenbone AG