[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issues regarding ruby-rack/CVE-2019-16782


I have looked into this some but I have not been able to determine how long the session ids were before the fix. Do anyone have that information?
Based on that we can rather easily determine how long time a timing attack would take. My guess is a really long time.

Best regards

// Ola

On Mon, 10 Feb 2020 at 07:31, Brian May <bam@debian.org> wrote:
Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al.
> This security update induces a regression, resulting in some issues in
> using the library.
> Also, there's a slight possibility of this patch inducing a backdoor on
> it's own.
> The issues have already been opened to/with the upstream and I hope
> they're looking into it.
> P.S. Shall update here when available :)

Do you have any references to the upstream issue regarding the possible

I see:


Apparently the regression is unavoidable - see

Which in turn generated controversy - is it OK to cause breakage if it
fixes a known security issue?

This might rule out being able to provide fixes for Buster and Jessie.

Oh, I see, #1431 mentions the possible backdoor; a claim that was

It also seems like "I agree that the vulnerability is not that great and
does take substantial time to pull off." - wonder if it even worth
trying to fix this for anything other then unstable+testing.
Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: