Security update for rubygem-rack
SUSE Security Update: Security update for rubygem-rack
3 denial of service conditions in the Rack 1.3 rubygem have
been fixed.
*
Rack was updated to 1.3.10:
o Fix CVE-2013-0263, timing attack against
Rack::Session::Cookie
*
Rack was updated to 1.3.9.
o Rack::Auth::AbstractRequest no longer
symbolizes arbitrary strings (CVE-2013-0184) o Security:
Prevent unbounded reads in large multipart boundaries
(CVE-2013-0183)
*
Changes from 1.3.7 (CVE-2012-6109)
o Add warnings when users do not provide a
session secret o Fix parsing performance for unquoted
filenames o Updated URI backports o Fix URI backport
version matching, and silence constant warnings o Correct
parameter parsing with empty values o Correct rackup '-I'
flag, to allow multiple uses o Correct rackup pidfile
handling o Report rackup line numbers correctly o Fix
request loops caused by non-stale nonces with time limits o
Prevent infinite recursions from Response#to_ary o Various
middleware better conforms to the body close specification
o Updated language for the body close specification o
Additional notes regarding ECMA escape compatibility issues
o Fix the parsing of multiple ranges in range headers
Security Issue references:
* CVE-2013-0184
>
* CVE-2013-0183
>
* CVE-2012-6109
>
| Announcement ID: | SUSE-SU-2013:0355-1 |
| Rating: | moderate |
| References: | #798452 #802794 |
| Affected Products: |
An update that fixes three vulnerabilities is now available. It includes one version update.
Description:
3 denial of service conditions in the Rack 1.3 rubygem have
been fixed.
*
Rack was updated to 1.3.10:
o Fix CVE-2013-0263, timing attack against
Rack::Session::Cookie
*
Rack was updated to 1.3.9.
o Rack::Auth::AbstractRequest no longer
symbolizes arbitrary strings (CVE-2013-0184) o Security:
Prevent unbounded reads in large multipart boundaries
(CVE-2013-0183)
*
Changes from 1.3.7 (CVE-2012-6109)
o Add warnings when users do not provide a
session secret o Fix parsing performance for unquoted
filenames o Updated URI backports o Fix URI backport
version matching, and silence constant warnings o Correct
parameter parsing with empty values o Correct rackup '-I'
flag, to allow multiple uses o Correct rackup pidfile
handling o Report rackup line numbers correctly o Fix
request loops caused by non-stale nonces with time limits o
Prevent infinite recursions from Response#to_ary o Various
middleware better conforms to the body close specification
o Updated language for the body close specification o
Additional notes regarding ECMA escape compatibility issues
o Fix the parsing of multiple ranges in range headers
Security Issue references:
* CVE-2013-0184
* CVE-2013-0183
* CVE-2012-6109
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-rack-13-201302-7387
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.3.10]:
- rubygem-rack-1_3-1.3.10-0.5.1
References:
- http://support.novell.com/security/cve/CVE-2012-6109.html
- http://support.novell.com/security/cve/CVE-2013-0183.html
- http://support.novell.com/security/cve/CVE-2013-0184.html
- https://bugzilla.novell.com/798452
- https://bugzilla.novell.com/802794
- http://download.suse.com/patch/finder/?keywords=79d7c27e638d31315b618ea99bba68b5