Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 268515

Summary: <dev-lang/ruby-{1.8.6-p368, 1.8.7-p160} is vulnerable to CVE-2007-1558
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hanno, ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22000
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-03 20:53:14 UTC 
CVE-2007-1558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1558):
  The APOP protocol allows remote attackers to guess the first 3
  characters of a password via man-in-the-middle (MITM) attacks that
  use crafted message IDs and MD5 collisions.  NOTE: this design-level
  issue potentially affects all products that use APOP, including (1)
  Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2)
  Evolution, (3) mutt, (4) fetchmail, (5) SeaMonkey 1.0.x before 1.0.9
  and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, and possibly
  other products.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-03 20:54:09 UTC 
Will commit ebuilds tomorrow.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-07 17:04:56 UTC 
Arches, please test and mark stable:
=app-admin/eselect-ruby-20081227
=dev-lang/ruby-1.8.6_p368
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Brent Baude (RETIRED) gentoo-dev 2009-05-07 18:27:06 UTC 
ppc64 done
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-05-07 18:27:12 UTC 
ppc done
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-05-07 18:31:36 UTC 
Stable on alpha.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-07 20:26:23 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-05-08 16:13:03 UTC 
arm/ia64/s390/sh/sparc stable
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-08 17:07:42 UTC 
amd64 done.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-09 17:16:01 UTC 
Stable for HPPA.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-09 17:30:44 UTC 
All the other bugs for this CVE got "noglsa", don't think that ruby is so special to warrant one. Thanks everyone.