[Secure-testing-team] Bug#635878: PRNG weaknesses
Moritz Muehlenhoff
jmm at debian.org
Fri Jul 29 10:05:12 UTC 2011
Package: ruby1.8
Version: 1.8.7.352-1
Severity: grave
Tags: security
Please see the following posting on oss-security:
--------
> On 07/11/2011 02:07 PM, Ludwig Nussel wrote:
>
> > http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
> > http://redmine.ruby-lang.org/issues/4579
> > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713
> > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
>
> Looking at the above patches, there seems to be two issues here,
> perhaps
> it needs two CVE ids to be assigned?
>
> 1. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713
>
> This one pertains to rand returning same values in forked processes.
> http://redmine.ruby-lang.org/issues/show/4338
> This is a regression, as it was fixed in 1.8.6-p114, but re-appeared in
> 1.8.6-p399.
Let's use CVE-2011-2686 for this one.
>
> 2. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
>
> This is an issue in the securerandom.rb module.
> http://redmine.ruby-lang.org/issues/4579
>
Use CVE-2011-2705 for this.
----------
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ruby1.8 depends on:
ii libc6 2.13-10 Embedded GNU C Library: Shared lib
ii libruby1.8 1.8.7.352-1 Libraries necessary to run Ruby 1.
ruby1.8 recommends no packages.
Versions of packages ruby1.8 suggests:
pn ri1.8 <none> (no description available)
pn ruby1.8-examples <none> (no description available)
-- no debconf information
More information about the Secure-testing-team
mailing list