Debian-LTS has issued an advisory on May 23: https://www.debian.org/lts/security/2020/dla-2216 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patches available upstreamBlocks: (none) => 25915
cauldron is not affected. Versions Affected: rack < 2.2.0 ruby-rack-2.0.6-1.1.mga7 is pushed in mga7
Whiteboard: MGA7TOO => (none)Assignee: pterjan => qa-bugsStatus comment: Patches available upstream => (none)CC: (none) => mageia
We also need to address Bug 25915.
CC: (none) => pterjanVersion: Cauldron => 7Assignee: qa-bugs => mageiaSource RPM: ruby-rack-2.2.2-1.mga8.src.rpm => ruby-rack-2.0.6-1.mga7.src.rpm
Advisory: ======================== Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison (CVE-2019-16782). If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer (CVE-2020-8161). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8161 https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/ https://www.debian.org/lts/security/2020/dla-2216 https://bugs.mageia.org/show_bug.cgi?id=25915 https://bugs.mageia.org/show_bug.cgi?id=26688 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-2.0.8-1.mga7 ruby-rack-doc-2.0.8-1.mga7 from ruby-rack-2.0.8-1.mga7.src.rpm
Assignee: mageia => qa-bugs
Created attachment 11664 [details] Ruby script to demonstrate "middleware" requests This starts a server at localhost:8080/ and should return a message like "App took 3 seconds."
CC: (none) => tarazed25
Ran functionality tests before and after based on the tutorial at https://thoughtbot.com/upcase/videos/rack $ cat hello.rb #!/bin/env ruby require "rack" require "thin" class HelloWorld def call(env) [ 200, { "Content-Type" => "text/plain" }, ["Hello World"] ] end end Rack::Handler::Thin.run HelloWorld.new # Rack is the framework and thin a simple webserver. ------------------------------------------------------------------ See the attachment for middleware script. There is an application called sinatra which uses rack. It is a domain specific language, essentially a ruby meta-language to simplify building web applications. Sticking to the tutorial route here but tested to see that ruby-sinatra could be installed. ruby-mustermann 1.0.3 2.mga7 noarch ruby-rack 2.0.6 1.mga7 noarch ruby-rack-protection 2.0.5 1.mga7 noarch ruby-sinatra 2.0.5 2.mga7 noarch ruby-tilt 2.0.9 1.mga7 noarch CVE-2018-16471 https://seclists.org/oss-sec/2018/q4/129 An example of vulnerable code is given but does not mean much here. The tutorial worked fine after updating rack and rack-doc. $ ruby hello.rb Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:8080, CTRL+C to stop Move to browser at localhost:8080/ to see the expected message. Modifying this a little shows the structure of the env object at 8080 in firefox. $ irb irb(main):001:0> require "rack" => true irb(main):002:0> require "thin" => true irb(main):003:0> app = -> (env) do irb(main):004:1* [ 200, { "Content-Type" => "text/plain" }, env ] irb(main):005:1> end => #<Proc:0x000000000104a988@(irb):3 (lambda)> irb(main):006:0> irb(main):007:0> Rack::Handler::Thin.run app Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:8080, CTRL+C to stop ^CStopping ... => nil firefox @ localhost:8080/ ["SERVER_SOFTWARE", "thin 1.7.2 codename Bachmanity"]["SERVER_NAME", "localhost"]["rack.input", #<StringIO:0x000000000104d4d0>]["rack.version", [1, 0]]["rack.errors", #<IO:<STDERR>>]["rack.multithread", false]["rack.multiprocess", false]["rack.run_once", false]["REQUEST_METHOD", "GET"]["REQUEST_PATH", "/"]["PATH_INFO", "/"]["REQUEST_URI", "/"]["HTTP_VERSION", "HTTP/1.1"]["HTTP_HOST", "localhost:8080"]["HTTP_USER_AGENT", "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"]["HTTP_ACCEPT", .................. "rack.url_scheme"=>"http", "SCRIPT_NAME"=>"", "REMOTE_ADDR"=>"::1", "async.callback"=>#<Method: #<Thin::Connection:0x000000000104d660 ...>.post_process>, "async.close"=>#<EventMachine::DefaultDeferrable:0x000000000104ce68>}>, @backend=#<Thin::Backends::TcpServer:0x000000000110fd28 @host="::1", .................. $ ruby middle.rb Checked localhost:8080/ Hello World App took 3 seconds. Not very thorough but probably enough for an OK.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0252.html
Status: NEW => RESOLVEDResolution: (none) => FIXED