Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Dec 2013 19:56:18 -0500 (EST)
From: cve-assign@...re.org
To: stbuehler@...httpd.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Juvia secret token handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Juvia is a Ruby on Rails application to host "comments":
> > A commenting server similar to Disqus and IntenseDebate
> 
> It includes a "default" secret to validate cookies in 
> `app/config/initializers/secret_token.rb', and the install instructions
> do not include generating a new secret.
> Also the file in question is maintained in git, and configuration
> should not touch these files.
> 
> This means an attacker could modify session state, which is somehow
> trusted by the Rails application.
> 
> A workaround for Juvia is to generate a new secret (`rake secret') and
> replace the one in
> `app/config/initializers/secret_token.rb' (invalidating all cookies,
> don't forget to restart Juvia).
> You have to be careful when switching between git branches and so on to
> not loose the change.
> 
> The core problem is that rails generated the file that way; other gems
> have similar issues.
> The rails security team has been informed about this.

They would be eligible for their own CVE ID if they conclude that this is
a security-relevant implementation error in the file-generation process.
The CVE below is specific to Juvia, for the issue in which a valid
Juvia::Application.config.secret_token value is "shipped" in the product
without an installation step in which the value must be changed.

> * Juvia "public" secret:
>   https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb
> * Juvia issue for this: https://github.com/phusion/juvia/issues/55

Use CVE-2013-7134.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSsPGmAAoJEKllVAevmvms38cH/2MOQkPQcH6E3P/OB6Gb+joD
DsqJz+03vWIO++M3JlbEESry7CwhyBJqwzIJUDeMb/zz4AcUR+xnIx0u3gVQzq9k
bJF3r3QdVRg0gkQoA8wx1eXaNhPDCRboqXI9Q9FopkvP9r9A5PSQF1QytITI/7b4
TzSqx9VMK3Acp4gGx4DKiQSFJRuFPLm1HWWuvFwg3G3J2/77hAegOs5z6Jo1vbHi
VL2A/LTOBE+AHkhvdcBXQmtsLWUnf+cb3HRL6R5Ekt4ke+gWkLlRdau0Mq4YpnWa
5n4GUEmasWLOfVDgblGIrMrbjplPZneGw8VsMXCjIWswQuFaVyyTEmBZD9EXcG4=
=qD6C
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.