ruby2.7-rubygem-rack-2.0-2.0.9-1.10 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11346 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby2.7-rubygem-rack-2.0-2.0.9-1.10 on GA media These are all security issues fixed in the ruby2.7-rubygem-rack-2.0-2.0.9-1.10 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11346 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11346 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-0262/ SUSE CVE CVE-2013-0262 page https://www.suse.com/security/cve/CVE-2013-0263/ SUSE CVE CVE-2013-0263 page https://www.suse.com/security/cve/CVE-2015-3225/ SUSE CVE CVE-2015-3225 page https://www.suse.com/security/cve/CVE-2018-16471/ SUSE CVE CVE-2018-16471 page https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page openSUSE Tumbleweed ruby2.7-rubygem-rack-2.0-2.0.9-1.10 ruby3.0-rubygem-rack-2.0-2.0.9-1.10 ruby2.7-rubygem-rack-2.0-2.0.9-1.10 as a component of openSUSE Tumbleweed ruby3.0-rubygem-rack-2.0-2.0.9-1.10 as a component of openSUSE Tumbleweed rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." CVE-2013-0262 openSUSE Tumbleweed:ruby2.7-rubygem-rack-2.0-2.0.9-1.10 openSUSE Tumbleweed:ruby3.0-rubygem-rack-2.0-2.0.9-1.10 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0262.html CVE-2013-0262 https://bugzilla.suse.com/802795 SUSE Bug 802795 Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. CVE-2013-0263 openSUSE Tumbleweed:ruby2.7-rubygem-rack-2.0-2.0.9-1.10 openSUSE Tumbleweed:ruby3.0-rubygem-rack-2.0-2.0.9-1.10 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0263.html CVE-2013-0263 https://bugzilla.suse.com/802794 SUSE Bug 802794 https://bugzilla.suse.com/809839 SUSE Bug 809839 lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. CVE-2015-3225 openSUSE Tumbleweed:ruby2.7-rubygem-rack-2.0-2.0.9-1.10 openSUSE Tumbleweed:ruby3.0-rubygem-rack-2.0-2.0.9-1.10 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3225.html CVE-2015-3225 https://bugzilla.suse.com/934797 SUSE Bug 934797 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. CVE-2018-16471 openSUSE Tumbleweed:ruby2.7-rubygem-rack-2.0-2.0.9-1.10 openSUSE Tumbleweed:ruby3.0-rubygem-rack-2.0-2.0.9-1.10 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16471.html CVE-2018-16471 https://bugzilla.suse.com/1114828 SUSE Bug 1114828 https://bugzilla.suse.com/1116600 SUSE Bug 1116600 https://bugzilla.suse.com/1122178 SUSE Bug 1122178 There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 openSUSE Tumbleweed:ruby2.7-rubygem-rack-2.0-2.0.9-1.10 openSUSE Tumbleweed:ruby3.0-rubygem-rack-2.0-2.0.9-1.10 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174