Summary: | <dev-lang/ruby-2.4.0: IV Reuse in GCM Mode | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1381526 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-10-06 15:46:13 UTC
@maintainer(s), can you patch or is this already in a release? This is fixed in the ruby-openssl repository, but we use the bundled (or rather, embedded) version distributed with dev-lang/ruby itself and that has not been updated yet. Backporting doesn't look trivial because this patch builds upon additional changes made in ruby-openssl. It may be possible to unbundle this for ruby 2.3. Hans, if you can please do not add version info, until you are ready to call for stabilization. @Hans Ruby target 22 was already dropped, were you able to unbundle this in 23? Thanks (In reply to Christopher Díaz Riveros from comment #4) > Ruby target 22 was already dropped, were you able to unbundle this in 23? I haven't tried yet and I am also hesitant to do so since it may introduce hard-to-find compatability issues since ruby packages expect to find specific openssl versions bundled with different ruby versions. I think it makes more sense now to focus on removal of ruby23 which can be started once ruby24 is stable. (In reply to Hans de Graaff from comment #5) > (In reply to Christopher Díaz Riveros from comment #4) > > > Ruby target 22 was already dropped, were you able to unbundle this in 23? > > I haven't tried yet and I am also hesitant to do so since it may introduce > hard-to-find compatability issues since ruby packages expect to find > specific openssl versions bundled with different ruby versions. > > I think it makes more sense now to focus on removal of ruby23 which can be > started once ruby24 is stable. Hans, thank for the info. ruby23 is gone now. Was this fixed in Ruby24? It's fixed in dev-lang/ruby since https://github.com/ruby/ruby/commit/aab0d67a1ff5190ff7a951e40cee742210302aed which is present since >=dev-lang/ruby-2.4.0! GLSA Vote: No! Repository is clean, all done! |