Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 20 Jul 2011 15:42:51 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: Huzaifa Sidhpurwala <huzaifas@...hat.com>
Cc: Ludwig Nussel <ludwig.nussel@...e.de>, Marcus Rueckert <mrueckert@...e.de>,
        security@...y-lang.org, Urabe Shyouhei <shyouhei@...y-lang.org>,
        oss-security@...ts.openwall.com, coley <coley@...re.org>
Subject: Re: CVE Request: ruby PRNG fixes

Sorry for the confusion.

----- Original Message -----
> On 07/11/2011 02:07 PM, Ludwig Nussel wrote:
> 
> > http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
> > http://redmine.ruby-lang.org/issues/4579
> > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713
> > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
> 
> Looking at the above patches, there seems to be two issues here,
> perhaps
> it needs two CVE ids to be assigned?
> 
> 1. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713
> 
> This one pertains to rand returning same values in forked processes.
> http://redmine.ruby-lang.org/issues/show/4338
> This is a regression, as it was fixed in 1.8.6-p114, but re-appeared in
> 1.8.6-p399.

Let's use CVE-2011-2686 for this one.

> 
> 2. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
> 
> This is an issue in the securerandom.rb module.
> http://redmine.ruby-lang.org/issues/4579
> 

Use CVE-2011-2705 for this.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.