Moritz Muehlenhoff
2011-Jul-29 10:05 UTC
[Secure-testing-team] Bug#635878: PRNG weaknesses
Package: ruby1.8 Version: 1.8.7.352-1 Severity: grave Tags: security Please see the following posting on oss-security: --------> On 07/11/2011 02:07 PM, Ludwig Nussel wrote: > > > http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/ > > http://redmine.ruby-lang.org/issues/4579 > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713 > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050 > > Looking at the above patches, there seems to be two issues here, > perhaps > it needs two CVE ids to be assigned? > > 1. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713 > > This one pertains to rand returning same values in forked processes. > http://redmine.ruby-lang.org/issues/show/4338 > This is a regression, as it was fixed in 1.8.6-p114, but re-appeared in > 1.8.6-p399.Let''s use CVE-2011-2686 for this one.> > 2. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050 > > This is an issue in the securerandom.rb module. > http://redmine.ruby-lang.org/issues/4579 >Use CVE-2011-2705 for this. ---------- Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ruby1.8 depends on: ii libc6 2.13-10 Embedded GNU C Library: Shared lib ii libruby1.8 1.8.7.352-1 Libraries necessary to run Ruby 1. ruby1.8 recommends no packages. Versions of packages ruby1.8 suggests: pn ri1.8 <none> (no description available) pn ruby1.8-examples <none> (no description available) -- no debconf information