Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilites and Exposures project
identifies the following vulnerabilities:
- CVE-2011-5036
Rack computes hash values for form parameters without restricting
the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters.
- CVE-2013-0183
A remote attacker could cause a denial of service (memory
consumption and out-of-memory error) via a long string in a
Multipart HTTP packet.
- CVE-2013-0184
A vulnerability in Rack::Auth::AbstractRequest allows remote
attackers to cause a denial of service via unknown vectors.
- CVE-2013-0263
Rack::Session::Cookie allows remote attackers to guess the
session cookie, gain privileges, and execute arbitrary code via a
timing attack involving an HMAC comparison function that does not
run in constant time.
For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.
The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.
We recommend that you upgrade your librack-ruby packages.