|Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5,
1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows
remote attackers to guess the session cookie, gain privileges, and
execute arbitrary code via a timing attack involving an HMAC
comparison function that does not run in constant time.