Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
Subject: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

Hash: SHA1

We are not sure of the best way to interpret statements such as

> If this Gem is used in the context of a Rails application it maybe
> possible for a remote user to inject commands into the shell via
> #{password} #{user} #{deploy_name} #{application} variables if that
> data is user supplied.

At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level: says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"" ... :server_ip, "" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.