Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 2 Aug 2015 18:27:32 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE request: XEE in ruby gem ruby-saml <1.0.0

Any update on a CVE assignment for this?

~reed

On Thu, Jul 9, 2015 at 2:48 AM, Reed Loden <reed@...dloden.com> wrote:

> Noticed this when reading changelog entries... I'm weird like that.
>
> https://github.com/onelogin/ruby-saml/pull/247
>
>
> https://github.com/onelogin/ruby-saml/commit/a2e5318530701bf14528c5b3b51c880b3499a75d
>
> "Avoid entity expansion (XEE attacks)"
>
> Release notes for ruby-saml v1.0.0
> https://github.com/onelogin/ruby-saml/releases/tag/v1.0.0
>
> (I wonder if the "Fix xpath injection on xml_security.rb" fix is a vuln as
> well)
>
> ~reed
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ