|
From: | Ben Woodcroft |
Subject: | Re: Ruby / OpenSSL security issue |
Date: | Sat, 1 Oct 2016 09:46:23 +1000 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 01/10/16 03:32, Leo Famulari wrote:
On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:On 21/09/16 05:05, Leo Famulari wrote:On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:On 20/09/16 12:06, Leo Famulari wrote:Ruby users, There is a bug report on Ruby's OpenSSL module regarding IV re-use in AES-GCM mode [0]. Does anyone volunteer to investigate the bug report and decide what to do about it for our Ruby package?Thanks for the report Leo. I don't think much can be done about this until a fix is released, no? It is unfortunately been around since March on that GitHub page, hopefully the report on oss-sec will spur some action.Okay, do you volunteer to track this bug upstream? :)Sure, OK.Ping :) The Ruby developers have committed a fix, apparently: http://seclists.org/oss-sec/2016/q3/680
Thanks for keeping on top of this. The difficulty is that the fix released is not for the bundled openssl that comes with ruby itself, but a separate repository.
There is a 'ruby_2_3 branch'[0] where fixes are backported. Do you think it would make sense to have a 'ruby-2.3-backports' package as a replacement for the 'ruby-2.3' package which tracks the 'ruby_2_3' branch? I see there are other fixes in there that probably have security implications.
The issue at hand has not yet been backported though, and the patch for fixing it does not apply to either the released 2.3.1 or even the backport branch. So, we wait, I think. I suspect that my trying to backport the patch myself is likely to do more harm than good. WDYT?
ben [0]: https://github.com/ruby/ruby/tree/ruby_2_3
[Prev in Thread] | Current Thread | [Next in Thread] |