cauldron is not affected.

Versions Affected:  rack < 2.2.0


ruby-rack-2.0.6-1.1.mga7 is pushed in mga7

Whiteboard: MGA7TOO => (none)
Assignee: pterjan => qa-bugs
Status comment: Patches available upstream => (none)
CC: (none) => mageia

We also need to address Bug 25915.

CC: (none) => pterjan
Version: Cauldron => 7
Assignee: qa-bugs => mageia
Source RPM: ruby-rack-2.2.2-1.mga8.src.rpm => ruby-rack-2.0.6-1.mga7.src.rpm

Advisory:
========================

Updated ruby-rack packages fix security vulnerabilities:

There's a possible information leak / session hijack vulnerability in Rack
(RubyGem rack). Attackers may be able to find and hijack sessions by using
timing attacks targeting the session id. Session ids are usually stored and
indexed in a database that uses some kind of scheme for speeding up lookups of
that session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack the
session. The session id itself may be generated randomly, but the way the
session is indexed by the backing store does not use a secure comparison
(CVE-2019-16782).

If certain directories exist in a director that is managed by Rack::Directory,
an attacker could, using this vulnerability, read the contents of files on the
server that were outside of the root specified in the Rack::Directory
initializer (CVE-2020-8161).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8161
https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/
https://www.debian.org/lts/security/2020/dla-2216
https://bugs.mageia.org/show_bug.cgi?id=25915
https://bugs.mageia.org/show_bug.cgi?id=26688
========================

Updated packages in core/updates_testing:
========================
ruby-rack-2.0.8-1.mga7
ruby-rack-doc-2.0.8-1.mga7

from ruby-rack-2.0.8-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Created attachment 11664 [details]
Ruby script to demonstrate "middleware" requests

This starts a server at localhost:8080/ and should return a message like 
"App took 3 seconds."

CC: (none) => tarazed25

Ran functionality tests before and after based on the tutorial at https://thoughtbot.com/upcase/videos/rack

$ cat hello.rb
#!/bin/env ruby
require "rack"
require "thin"

class HelloWorld
  def call(env)
    [ 200, { "Content-Type" => "text/plain" }, ["Hello World"] ]
  end
end

Rack::Handler::Thin.run HelloWorld.new
# Rack is the framework and thin a simple webserver.

------------------------------------------------------------------
See the attachment for middleware script.

There is an application called sinatra which uses rack.  It is a domain specific language, essentially a ruby meta-language to simplify building web applications.  Sticking to the tutorial route here but tested to see that ruby-sinatra could be installed.
  ruby-mustermann                1.0.3        2.mga7        noarch  
  ruby-rack                      2.0.6        1.mga7        noarch  
  ruby-rack-protection           2.0.5        1.mga7        noarch  
  ruby-sinatra                   2.0.5        2.mga7        noarch  
  ruby-tilt                      2.0.9        1.mga7        noarch  

CVE-2018-16471
https://seclists.org/oss-sec/2018/q4/129
An example of vulnerable code is given but does not mean much here.

The tutorial worked fine after updating rack and rack-doc.

$ ruby hello.rb
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop

Move to browser at localhost:8080/
to see the expected message.


Modifying this a little shows the structure of the env object at 8080 in firefox.
$ irb
irb(main):001:0> require "rack"
=> true
irb(main):002:0> require "thin"
=> true
irb(main):003:0> app = -> (env) do
irb(main):004:1*   [ 200, { "Content-Type" => "text/plain" }, env ]
irb(main):005:1> end
=> #<Proc:0x000000000104a988@(irb):3 (lambda)>
irb(main):006:0>
irb(main):007:0> Rack::Handler::Thin.run app
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop
^CStopping ...
=> nil

firefox @ localhost:8080/

["SERVER_SOFTWARE", "thin 1.7.2 codename Bachmanity"]["SERVER_NAME", "localhost"]["rack.input", #<StringIO:0x000000000104d4d0>]["rack.version", [1, 0]]["rack.errors", #<IO:<STDERR>>]["rack.multithread", false]["rack.multiprocess", false]["rack.run_once", false]["REQUEST_METHOD", "GET"]["REQUEST_PATH", "/"]["PATH_INFO", "/"]["REQUEST_URI", "/"]["HTTP_VERSION", "HTTP/1.1"]["HTTP_HOST", "localhost:8080"]["HTTP_USER_AGENT", "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"]["HTTP_ACCEPT",
..................
"rack.url_scheme"=>"http", "SCRIPT_NAME"=>"", "REMOTE_ADDR"=>"::1", "async.callback"=>#<Method: #<Thin::Connection:0x000000000104d660 ...>.post_process>, "async.close"=>#<EventMachine::DefaultDeferrable:0x000000000104ce68>}>, @backend=#<Thin::Backends::TcpServer:0x000000000110fd28 @host="::1",
..................

$ ruby middle.rb
Checked localhost:8080/

Hello World
App took 3 seconds.

Not very thorough but probably enough for an OK.

Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0252.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED