Date: Tue, 08 Jul 2014 17:14:46 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: moses@...petlabs.com, security@...y-lang.org Subject: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path Good morning, CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248) describes the following: "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet." The issue in Ruby was fixed here: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/ The "$: doesn't include the current direcotry." entry, I guess. Is a 2010 CVE ID needed for this, or should it only be treated as hardening? Thanks, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ