Vulnerability   
Search   
    Search 191973 CVE descriptions
and 86218 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.702783
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)
Summary:Several vulnerabilities were discovered in Rack, a modular Ruby;webserver interface. The Common Vulnerabilities and Exposures project;identifies the following vulnerabilities:;;CVE-2011-5036;Rack computes hash values for form parameters without restricting;the ability to trigger hash collisions predictably, which allows;remote attackers to cause a denial of service (CPU consumption);by sending many crafted parameters.;;CVE-2013-0183;A remote attacker could cause a denial of service (memory;consumption and out-of-memory error) via a long string in a;Multipart HTTP packet.;;CVE-2013-0184;A vulnerability in Rack::Auth::AbstractRequest allows remote;attackers to cause a denial of service via unknown vectors.;;CVE-2013-0263;Rack::Session::Cookie allows remote attackers to guess the;session cookie, gain privileges, and execute arbitrary code via a;timing attack involving an HMAC comparison function that does not;run in constant time.
Description:Summary:
Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilities and Exposures project
identifies the following vulnerabilities:

CVE-2011-5036
Rack computes hash values for form parameters without restricting
the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters.

CVE-2013-0183
A remote attacker could cause a denial of service (memory
consumption and out-of-memory error) via a long string in a
Multipart HTTP packet.

CVE-2013-0184
A vulnerability in Rack::Auth::AbstractRequest allows remote
attackers to cause a denial of service via unknown vectors.

CVE-2013-0263
Rack::Session::Cookie allows remote attackers to guess the
session cookie, gain privileges, and execute arbitrary code via a
timing attack involving an HMAC comparison function that does not
run in constant time.

Affected Software/OS:
librack-ruby on Debian Linux

Solution:
For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.

The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.

We recommend that you upgrade your librack-ruby packages.

CVSS Score:
5.1

CVSS Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2011-5036
Bugtraq: 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
CERT/CC vulnerability note: VU#903934
http://www.kb.cert.org/vuls/id/903934
Debian Security Information: DSA-2783 (Google Search)
http://www.debian.org/security/2013/dsa-2783
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.ocert.org/advisories/ocert-2011-003.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-0183
https://bugzilla.redhat.com/show_bug.cgi?id=895282
RedHat Security Advisories: RHSA-2013:0544
http://rhn.redhat.com/errata/RHSA-2013-0544.html
RedHat Security Advisories: RHSA-2013:0548
http://rhn.redhat.com/errata/RHSA-2013-0548.html
SuSE Security Announcement: openSUSE-SU-2013:0462 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-0184
https://bugzilla.redhat.com/show_bug.cgi?id=895384
Common Vulnerability Exposure (CVE) ID: CVE-2013-0263
https://bugzilla.redhat.com/show_bug.cgi?id=909071
https://gist.github.com/codahale/f9f3781f7b54985bee94
https://twitter.com/coda/statuses/299732877745197056
http://www.osvdb.org/89939
RedHat Security Advisories: RHSA-2013:0686
http://rhn.redhat.com/errata/RHSA-2013-0686.html
http://secunia.com/advisories/52033
http://secunia.com/advisories/52134
http://secunia.com/advisories/52774
CopyrightCopyright (C) 2013 Greenbone Networks GmbH http://greenbone.net

This is only one of 86218 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.