Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Jul 2014 16:26:32 +0900
From: "Shota Fukumori (sora_h)" <>
Cc:, security <>,
Subject: Re: possible CVE-2010 request: Ruby older than 1.9.2 appending
 current directory to the load path

I guess the change (committed r23816 in our svn repository,) is not a
security issue (just a hardening).

so I think it shouldn't need CVE ID.

Thoughts? >

On Tue, Jul 8, 2014 at 4:14 PM, Murray McAllister <> wrote:
> Good morning,
> CVE-2014-3248 (
> describes the following:
> "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet
> execute malicious code by convincing a privileged user to change
> directories to one containing the malicious code and then run Puppet."
> The issue in Ruby was fixed here:
> The "$: doesn't include the current direcotry." entry, I guess.
> Is a 2010 CVE ID needed for this, or should it only be treated as hardening?
> Thanks,
> --
> Murray McAllister / Red Hat Product Security

Shota Fukumori a.k.a. @sora_h

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ