Upstream information
Description
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time.NVD CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Novell/SUSE information
Novell Bugzilla entry: 802794, 809839 SUSE Security Advisories:- openSUSE-SU-2013:0338-1, published Mon, 25 Feb 2013 11:06:04 +0100 (CET)
- openSUSE-SU-2013:0462-1, published Thu, 14 Mar 2013 20:04:25 +0100 (CET)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Studio Extension for System z 1.2 SUSE Studio Onsite 1.2 [Appliance - Studio] SUSE Studio Standard Edition 1.2 WebYaST 1.2 |
| Builds SAT Patch Nr: 7389 |
| SUSE Cloud 1.0 SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 7388 |
| SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 7387 |
| BDK 11 SP2 |
| Builds SAT Patch Nr: 7617 |
| SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 7617 |
| SUSE Lifecycle Management Server 1.3 SUSE Studio Onsite 1.3 WebYaST 1.3 |
| Builds SAT Patch Nr: 7617 |