Rack::Protection v1.5.5 is out
I have just released Rack Protection v1.5.5 for backporting security fix.
Details
The v1.5.5 contains a security fix for CVE-2018-1000119.
It was determined a timing attack vulnerability in the CSRF token checking that can result in signatures being exposed.
The original fix has already been merged at rack-protection v2.0.0.rc3. Therefore, there is no problem if you are using rack-protection v2.0.0.rc3 or later.
At first of all, we strongly recommend that you check the version of rack-protection
you are currently using on your application.
You can confirm that by looking at the version of rack-protection embedded in Gemfile.lock.
As a result, if you still are using rack-protection v1.5.4 or earlier, we would highly recommend to upgrade the gem.
Thank you
Finally, I am deeply grateful to Andreas Karlsson and Kurt Seifried who worked on this issue. Thank you.