Re: Issues regarding ruby-rack/CVE-2019-16782

To: Ola Lundqvist <ola@inguza.com>
Cc: Ola Lundqvist <ola@inguza.com>, Utkarsh Gupta <guptautkarsh2102@gmail.com>, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Issues regarding ruby-rack/CVE-2019-16782
From: Brian May <bam@debian.org>
Date: Tue, 18 Feb 2020 19:50:37 +1100
Message-id: <[🔎] 87d0acxorm.fsf@silverfish.pri>
In-reply-to: <[🔎] CABY6=0krVCyAwf=M0njTNbCW_Lj5JeeNK1Aksnj8VZJ52_GJjA@mail.gmail.com>
References: <5cfc2ed4-5b07-1b2c-5997-4b104e281491@gmail.com> <[🔎] 87wo8vj6nc.fsf@silverfish.pri> <[🔎] CABY6=0mXd6jV1Dpb-X=CUZOpakC1CekGNOvOQK+MYy4ZjZtoUw@mail.gmail.com> <[🔎] 87r1z1k3ux.fsf@silverfish.pri> <[🔎] CABY6=0kovrOPLyRgKOUp-0McC=VpBgawqDMBosjL81qq2on-EA@mail.gmail.com> <[🔎] 87o8u4johh.fsf@silverfish.pri> <[🔎] CABY6=0nTzFzcHfcJkCOafp+HAZ0wiVMKgHQzJS1OzEu0iY-a_g@mail.gmail.com> <[🔎] 87lfp5kbjv.fsf@silverfish.pri> <[🔎] CABY6=0krVCyAwf=M0njTNbCW_Lj5JeeNK1Aksnj8VZJ52_GJjA@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use of this. Or have I
> misunderstood something?

I suspect you are mostly correct.

However how many people would really notice if an attacker made numerous
connections to their website in attempt to exploit this?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Re: Issues regarding ruby-rack/CVE-2019-16782
Previous by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Next by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Index(es):
- Date
- Thread