Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268515 - <dev-lang/ruby-{1.8.6-p368, 1.8.7-p160} is vulnerable to CVE-2007-1558
Summary: <dev-lang/ruby-{1.8.6-p368, 1.8.7-p160} is vulnerable to CVE-2007-1558
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://svn.ruby-lang.org/cgi-bin/view...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-03 20:53 UTC by Alex Legler (RETIRED)
Modified: 2009-05-09 17:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-03 20:53:14 UTC 
CVE-2007-1558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1558):
  The APOP protocol allows remote attackers to guess the first 3
  characters of a password via man-in-the-middle (MITM) attacks that
  use crafted message IDs and MD5 collisions.  NOTE: this design-level
  issue potentially affects all products that use APOP, including (1)
  Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2)
  Evolution, (3) mutt, (4) fetchmail, (5) SeaMonkey 1.0.x before 1.0.9
  and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, and possibly
  other products.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-03 20:54:09 UTC 
Will commit ebuilds tomorrow.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-07 17:04:56 UTC 
Arches, please test and mark stable:
=app-admin/eselect-ruby-20081227
=dev-lang/ruby-1.8.6_p368
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Brent Baude (RETIRED) gentoo-dev 2009-05-07 18:27:06 UTC 
ppc64 done
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-05-07 18:27:12 UTC 
ppc done
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-05-07 18:31:36 UTC 
Stable on alpha.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-07 20:26:23 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-05-08 16:13:03 UTC 
arm/ia64/s390/sh/sparc stable
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-08 17:07:42 UTC 
amd64 done.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-09 17:16:01 UTC 
Stable for HPPA.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-09 17:30:44 UTC 
All the other bugs for this CVE got "noglsa", don't think that ruby is so special to warrant one. Thanks everyone.