Ola Lundqvist writes:
> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use o
Hi
Precisely. This is why I was asking about the length of the session id
used. With the length we can estimate how many times an attacker my try to
find all possible values.
If this is small enough (and the attacker is close enough) it can be
exploited. But if the session key is really large, the
Hi
Now I have been thinking about this a little more. I have now understood
that there is one attack vector that I had not been thinking of. The
session id length and its randomness is an important factor but the timing
attack can exploit the database indexing functionality in order to reduce
the
Hello all,
I have prepared an update of zsh to address CVE-2019-20044. I have
tested the resulting packages, including specifically testing to ensure
that the backported patches address the privilege escalation
vulnerability. However, given the magnitude of the change (patches
totalling around 8
