Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Jun 2015 17:58:14 -0700
From: Phill MV <phillmv@...te.io>
To: oss-security@...ts.openwall.com
Subject: CVE Request: bson-ruby DoS and possible injection

Hi,

Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as
seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Could we please get a CVE?

By submitting a specially crafted string to a service relying on the bson
rubygem, an attacker may trigger denials of service or even inject data
into victim's MongoDB instances.

Users are advised to update to versions >= 3.0.4 of the `bson` rubygem.
Relevant commits can be seen here:
https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7

Thanks!,
-- 
Phillip Mendonça-Vieira
@phillmv <http://twitter.com/phillmv>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.