Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Jul 2014 16:26:32 +0900
From: "Shota Fukumori (sora_h)" <her@...ah.jp>
To: mmcallis@...hat.com
Cc: oss-security@...ts.openwall.com, security <security@...y-lang.org>, 
	moses@...petlabs.com
Subject: Re: possible CVE-2010 request: Ruby older than 1.9.2 appending
 current directory to the load path

I guess the change (committed r23816 in our svn repository,) is not a
security issue (just a hardening).

so I think it shouldn't need CVE ID.

Thoughts? > security@...y-lang.org

On Tue, Jul 8, 2014 at 4:14 PM, Murray McAllister <mmcallis@...hat.com> wrote:
> Good morning,
>
> CVE-2014-3248 (http://puppetlabs.com/security/cve/cve-2014-3248)
> describes the following:
>
> "On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet
> execute malicious code by convincing a privileged user to change
> directories to one containing the malicious code and then run Puppet."
>
> The issue in Ruby was fixed here:
>
> https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released/
>
> The "$: doesn't include the current direcotry." entry, I guess.
>
> Is a 2010 CVE ID needed for this, or should it only be treated as hardening?
>
> Thanks,
>
> --
> Murray McAllister / Red Hat Product Security



-- 
Shota Fukumori a.k.a. @sora_h http://sorah.jp/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ