Security update for rubygem-actionpack-4_2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1162-1 Final 1 1 2021-04-13T09:44:34Z current 2021-04-13T09:44:34Z 2021-04-13T09:44:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-4_2 This update for rubygem-actionpack-4_2 fixes the following issues: - CVE-2019-16782: Possible Information Leak / Session Hijack Vulnerability in Rack (bsc#1159548) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1162,SUSE-OpenStack-Cloud-7-2021-1162,SUSE-OpenStack-Cloud-Crowbar-8-2021-1162,SUSE-OpenStack-Cloud-Crowbar-9-2021-1162 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211162-1/ Link for SUSE-SU-2021:1162-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008616.html E-Mail link for SUSE-SU-2021:1162-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 ruby2.1-rubygem-actionpack-doc-4_2-4.2.9-7.9.1 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211162-1/ https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174