Hey all-- Just thought I''d point this out to folks: http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ The details are still unclear, but I suspect people on this list will want to follow the issue closely, since a remote code exec in Ruby is a network-wide root compromise for us... See also http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ for a bit more detail. -sq --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Jun-21 19:07 UTC
[Puppet Users] Re: Possible remote-code execution in Ruby
On Jun 21, 2008, at 11:59 AM, Sam Quigley wrote:> > Hey all-- > > Just thought I''d point this out to folks: http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ > > The details are still unclear, but I suspect people on this list will > want to follow the issue closely, since a remote code exec in Ruby is > a network-wide root compromise for us... > > See also http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ > for a bit more detail.I can''t really figure out what the specific problems are here. I can''t seem to get my security hat to fit correctly right now, but I *think* at worst this is a DoS in nearly all cases, and really, it would likely take a good bit of work to figure out if any of Puppet is vulnerable to this. The only part of Puppet you can even talk to without a certificate is the CA, so that makes it a bit harder to exploit, anyway. -- Yesterday upon the stair I met a man who wasn''t there. He wasn''t there again today -- I think he''s from the CIA. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---