Date: Tue, 8 Jul 2014 16:26:32 +0900 From: "Shota Fukumori (sora_h)" <her@...ah.jp> To: mmcallis@...hat.com Cc: oss-security@...ts.openwall.com, security <security@...y-lang.org>, moses@...petlabs.com Subject: Re: possible CVE-2010 request: Ruby older than 1.9.2 appending current directory to the load path I guess the change (committed r23816 in our svn repository,) is not a security issue (just a hardening). so I think it shouldn't need CVE ID. Thoughts? > security@...y-lang.org On Tue, Jul 8, 2014 at 4:14 PM, Murray McAllister <mmcallis@...hat.com> wrote: > Good morning, > > CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248) > describes the following: > > "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet > execute malicious code by convincing a privileged user to change > directories to one containing the malicious code and then run Puppet." > > The issue in Ruby was fixed here: > > https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/ > > The "$: doesn't include the current direcotry." entry, I guess. > > Is a 2010 CVE ID needed for this, or should it only be treated as hardening? > > Thanks, > > -- > Murray McAllister / Red Hat Product Security -- Shota Fukumori a.k.a. @sora_h http://sorah.jp/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ