Hi I have looked into this some but I have not been able to determine how long the session ids were before the fix. Do anyone have that information? Based on that we can rather easily determine how long time a timing attack would take. My guess is a really long time.
Best regards // Ola On Mon, 10 Feb 2020 at 07:31, Brian May <b...@debian.org> wrote: > Utkarsh Gupta <guptautkarsh2...@gmail.com> writes: > > > Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al. > > This security update induces a regression, resulting in some issues in > > using the library. > > Also, there's a slight possibility of this patch inducing a backdoor on > > it's own. > > > > The issues have already been opened to/with the upstream and I hope > > they're looking into it. > > P.S. Shall update here when available :) > > Do you have any references to the upstream issue regarding the possible > backdoor? > > I see: > > https://github.com/rack/rack/issues/1431 > https://github.com/rack/rack/issues/1432 > https://github.com/rack/rack/issues/1433 > > Apparently the regression is unavoidable - see > https://github.com/rack/rack/issues/1432#issuecomment-571688819 > > Which in turn generated controversy - is it OK to cause breakage if it > fixes a known security issue? > https://github.com/rack/rack/issues/1432#issuecomment-571701768 > > This might rule out being able to provide fixes for Buster and Jessie. > > Oh, I see, #1431 mentions the possible backdoor; a claim that was > disputed. > > It also seems like "I agree that the vulnerability is not that great and > does take substantial time to pull off." - wonder if it even worth > trying to fix this for anything other then unstable+testing. > -- > Brian May <b...@debian.org> > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
