Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Dec 2013 19:56:18 -0500 (EST)
From: cve-assign@...re.org
To: stbuehler@...httpd.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Juvia secret token handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Juvia is a Ruby on Rails application to host "comments":
> > A commenting server similar to Disqus and IntenseDebate
> 
> It includes a "default" secret to validate cookies in 
> `app/config/initializers/secret_token.rb', and the install instructions
> do not include generating a new secret.
> Also the file in question is maintained in git, and configuration
> should not touch these files.
> 
> This means an attacker could modify session state, which is somehow
> trusted by the Rails application.
> 
> A workaround for Juvia is to generate a new secret (`rake secret') and
> replace the one in
> `app/config/initializers/secret_token.rb' (invalidating all cookies,
> don't forget to restart Juvia).
> You have to be careful when switching between git branches and so on to
> not loose the change.
> 
> The core problem is that rails generated the file that way; other gems
> have similar issues.
> The rails security team has been informed about this.

They would be eligible for their own CVE ID if they conclude that this is
a security-relevant implementation error in the file-generation process.
The CVE below is specific to Juvia, for the issue in which a valid
Juvia::Application.config.secret_token value is "shipped" in the product
without an installation step in which the value must be changed.

> * Juvia "public" secret:
>   https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb
> * Juvia issue for this: https://github.com/phusion/juvia/issues/55

Use CVE-2013-7134.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSsPGmAAoJEKllVAevmvms38cH/2MOQkPQcH6E3P/OB6Gb+joD
DsqJz+03vWIO++M3JlbEESry7CwhyBJqwzIJUDeMb/zz4AcUR+xnIx0u3gVQzq9k
bJF3r3QdVRg0gkQoA8wx1eXaNhPDCRboqXI9Q9FopkvP9r9A5PSQF1QytITI/7b4
TzSqx9VMK3Acp4gGx4DKiQSFJRuFPLm1HWWuvFwg3G3J2/77hAegOs5z6Jo1vbHi
VL2A/LTOBE+AHkhvdcBXQmtsLWUnf+cb3HRL6R5Ekt4ke+gWkLlRdau0Mq4YpnWa
5n4GUEmasWLOfVDgblGIrMrbjplPZneGw8VsMXCjIWswQuFaVyyTEmBZD9EXcG4=
=qD6C
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ