Date: Fri, 5 Jun 2015 17:58:14 -0700 From: Phill MV <phillmv@...te.io> To: oss-security@...ts.openwall.com Subject: CVE Request: bson-ruby DoS and possible injection Hi, Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html Could we please get a CVE? By submitting a specially crafted string to a service relying on the bson rubygem, an attacker may trigger denials of service or even inject data into victim's MongoDB instances. Users are advised to update to versions >= 3.0.4 of the `bson` rubygem. Relevant commits can be seen here: https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7 Thanks!, -- Phillip Mendonça-Vieira @phillmv <http://twitter.com/phillmv>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ