Security update for rubygem-rack SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0214-1 Final 1 1 2020-02-12T15:13:37Z current 2020-02-12T15:13:37Z 2020-02-12T15:13:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-rack This update for rubygem-rack to version 2.0.8 fixes the following issues: - CVE-2018-16471: Fixed a cross-site scripting (XSS) flaw via the scheme method on Rack::Request (bsc#1116600). - CVE-2019-16782: Fixed a possible information leak and session hijack vulnerability (bsc#1159548). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-214 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PWBQQBBNBE3RHXMQEZDL7RQ4YUOWFJS5/ E-Mail link for openSUSE-SU-2020:0214-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1114828 SUSE Bug 1114828 https://bugzilla.suse.com/1116600 SUSE Bug 1116600 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://www.suse.com/security/cve/CVE-2018-16471/ SUSE CVE CVE-2018-16471 page https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page openSUSE Leap 15.1 ruby2.5-rubygem-rack-2.0.8-lp151.3.3.1 ruby2.5-rubygem-rack-doc-2.0.8-lp151.3.3.1 ruby2.5-rubygem-rack-testsuite-2.0.8-lp151.3.3.1 ruby2.5-rubygem-rack-2.0.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 ruby2.5-rubygem-rack-doc-2.0.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 ruby2.5-rubygem-rack-testsuite-2.0.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. CVE-2018-16471 openSUSE Leap 15.1:ruby2.5-rubygem-rack-2.0.8-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-rack-doc-2.0.8-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-rack-testsuite-2.0.8-lp151.3.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PWBQQBBNBE3RHXMQEZDL7RQ4YUOWFJS5/ https://www.suse.com/security/cve/CVE-2018-16471.html CVE-2018-16471 https://bugzilla.suse.com/1114828 SUSE Bug 1114828 https://bugzilla.suse.com/1116600 SUSE Bug 1116600 https://bugzilla.suse.com/1122178 SUSE Bug 1122178 There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 openSUSE Leap 15.1:ruby2.5-rubygem-rack-2.0.8-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-rack-doc-2.0.8-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-rack-testsuite-2.0.8-lp151.3.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PWBQQBBNBE3RHXMQEZDL7RQ4YUOWFJS5/ https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174