![]() |
|
Message-ID: <CAMyKfL1EXnYhyaDrg6q2jQaFMd-u4roh2a8MhYJ9Fr7+KSHnuw@mail.gmail.com> Date: Fri, 5 Jun 2015 17:58:14 -0700 From: Phill MV <phillmv@...te.io> To: oss-security@...ts.openwall.com Subject: CVE Request: bson-ruby DoS and possible injection Hi, Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html Could we please get a CVE? By submitting a specially crafted string to a service relying on the bson rubygem, an attacker may trigger denials of service or even inject data into victim's MongoDB instances. Users are advised to update to versions >= 3.0.4 of the `bson` rubygem. Relevant commits can be seen here: https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7 Thanks!, -- Phillip Mendonça-Vieira @phillmv <http://twitter.com/phillmv>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.