| Bug ID | 1084436 |
|---|---|
| Summary | VUL-1: CVE-2018-1000119: rack-protection: Timing attack in authenticity_token.rb |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 42.3 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/201358/ |
| OS | Other |
| Status | NEW |
| Severity | Minor |
| Priority | P5 - None |
| Component | Security |
| Assignee | ruby-devel@suse.de |
| Reporter | jsegitz@suse.com |
| QA Contact | security-team@suse.de |
| CC | cmueller@suse.com |
| Found By | Security Response Team |
| Blocker | --- |
rh#1534027 Sinatra rack-protection version 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 2.0.0. Leap 42.3 and infrastructure References: https://bugzilla.redhat.com/show_bug.cgi?id=1534027 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000119 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000119.html https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109 https://github.com/sinatra/rack-protection/pull/98