Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Feb 2013 23:26:42 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: Reed Loden <reed@...dloden.com>
CC: oss-security@...ts.openwall.com, maxim@...oillogical.com
Subject: Re: Some rubygems related CVEs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2013 07:55 PM, Reed Loden wrote:
> On Wed, 13 Feb 2013 19:39:23 -0700 Kurt Seifried
> <kseifried@...hat.com> wrote:
> 
>> newrelic_rpm information disclosure
> 
>> newrelic_rpm 
>> https://newrelic.com/docs/ruby/ruby-agent-security-notification A
>> bug in the Ruby agent causes database connection information and
>> raw SQL statements to be transmitted to New Relic servers. The
>> database connection information includes the database IP address,
>> username, and password. The information is not stored or
>> retransmitted by New Relic and is immediately discarded.
> 
>> Please use CVE-2013-0284 for this issue.
> 
> This issue was disclosed on 2012-12-06, so it should actually have
> a CVE-2012-XXXX assignment.
> 
> ~reed

Well the entry had no date and I couldn't find out one way or the
other so 2013 it is.

Just a general note: please put published dates on your web pages. It
makes life ever so much easier.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRHIOiAAoJEBYNRVNeJnmTkzkP/AgvWQIsMLbeI3GlqhpwKdvo
iTP9Xzi9t1e1y9e+y31IAjpL4Z3J0rVY+JVneedih6XgjRUWJz6wvmlJj7C3lFi4
MrMdovbzhpk4evmm4TcnKM2gypz40D14Zr+HZPxNtICDKQs06V0gFGurfX7hBOH6
LEkveaXs9QY0lgsQ737XPaSbsGblC6/zjXLI0yruLSAkTCsS7niEyRuqYBidFtux
lsxBL+wERFybfhxydENh3YbEboZyEggg609p5DjCcYnZ/em1dKwUUKp48gIaSmFJ
O5Cnf4STFzdBiixpHOGrqUEvD+FheHe5/WZi4lh1iJUt0/bB/KkfdzNQyECdZsAz
9W1Sdepe9H8dmRYnExEmEaro55BON1d9GtDdKwUfwGaB3AOffENo4HiPKXs7xI/Q
s84TSbsSzoYnJOi9f3/Be2kPaq6BEI6fobeeq7JGkWCFCNn+7c7ZMHbrGsrxdM96
uOAcjVmdvIl0WbJ6whXzGxRJV1QQ7mI0lygxx0WYjMRh4uUwaClpp1uWpfDAEMVG
wzUC2lcvCs931E15bvIKQdcZCKYyXtmBdX+RruHbsZ0VxJG81KuaSqcH/p2SctTp
MF90UzTkowNQjxCceUMRgvMg1DWM90wNP+4BQTaEDTqwZsN4hWBP4CPvwDQCcdKZ
RCQnwfO3umlXqq/IGUUQ
=6NM3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.