* Ruby / OpenSSL security issue
@ 2016-09-20 2:06 Leo Famulari
2016-09-20 5:17 ` Ben Woodcroft
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-20 2:06 UTC (permalink / raw)
To: guix-devel
Ruby users,
There is a bug report on Ruby's OpenSSL module regarding IV re-use in
AES-GCM mode [0].
Does anyone volunteer to investigate the bug report and decide what to
do about it for our Ruby package?
[0]
http://seclists.org/oss-sec/2016/q3/562
https://github.com/ruby/openssl/issues/49
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue
2016-09-20 2:06 Ruby / OpenSSL security issue Leo Famulari
@ 2016-09-20 5:17 ` Ben Woodcroft
2016-09-20 19:05 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-20 5:17 UTC (permalink / raw)
To: Leo Famulari, guix-devel
On 20/09/16 12:06, Leo Famulari wrote:
> Ruby users,
>
> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> AES-GCM mode [0].
>
> Does anyone volunteer to investigate the bug report and decide what to
> do about it for our Ruby package?
Thanks for the report Leo. I don't think much can be done about this
until a fix is released, no? It is unfortunately been around since March
on that GitHub page, hopefully the report on oss-sec will spur some action.
ben
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue
2016-09-20 5:17 ` Ben Woodcroft
@ 2016-09-20 19:05 ` Leo Famulari
2016-09-21 1:19 ` Ben Woodcroft
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-20 19:05 UTC (permalink / raw)
To: Ben Woodcroft; +Cc: guix-devel
On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> On 20/09/16 12:06, Leo Famulari wrote:
> > Ruby users,
> >
> > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > AES-GCM mode [0].
> >
> > Does anyone volunteer to investigate the bug report and decide what to
> > do about it for our Ruby package?
>
> Thanks for the report Leo. I don't think much can be done about this until
> a fix is released, no? It is unfortunately been around since March on that
> GitHub page, hopefully the report on oss-sec will spur some action.
Okay, do you volunteer to track this bug upstream? :)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue
2016-09-20 19:05 ` Leo Famulari
@ 2016-09-21 1:19 ` Ben Woodcroft
2016-09-30 17:32 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-21 1:19 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 21/09/16 05:05, Leo Famulari wrote:
> On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
>> On 20/09/16 12:06, Leo Famulari wrote:
>>> Ruby users,
>>>
>>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
>>> AES-GCM mode [0].
>>>
>>> Does anyone volunteer to investigate the bug report and decide what to
>>> do about it for our Ruby package?
>> Thanks for the report Leo. I don't think much can be done about this until
>> a fix is released, no? It is unfortunately been around since March on that
>> GitHub page, hopefully the report on oss-sec will spur some action.
> Okay, do you volunteer to track this bug upstream? :)
Sure, OK.
ben
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue
2016-09-21 1:19 ` Ben Woodcroft
@ 2016-09-30 17:32 ` Leo Famulari
2016-09-30 23:46 ` Ben Woodcroft
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-30 17:32 UTC (permalink / raw)
To: Ben Woodcroft; +Cc: guix-devel
On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
> On 21/09/16 05:05, Leo Famulari wrote:
> > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> > > On 20/09/16 12:06, Leo Famulari wrote:
> > > > Ruby users,
> > > >
> > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > > > AES-GCM mode [0].
> > > >
> > > > Does anyone volunteer to investigate the bug report and decide what to
> > > > do about it for our Ruby package?
> > > Thanks for the report Leo. I don't think much can be done about this until
> > > a fix is released, no? It is unfortunately been around since March on that
> > > GitHub page, hopefully the report on oss-sec will spur some action.
> > Okay, do you volunteer to track this bug upstream? :)
>
> Sure, OK.
Ping :)
The Ruby developers have committed a fix, apparently:
http://seclists.org/oss-sec/2016/q3/680
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue
2016-09-30 17:32 ` Leo Famulari
@ 2016-09-30 23:46 ` Ben Woodcroft
0 siblings, 0 replies; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-30 23:46 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 01/10/16 03:32, Leo Famulari wrote:
> On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
>> On 21/09/16 05:05, Leo Famulari wrote:
>>> On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
>>>> On 20/09/16 12:06, Leo Famulari wrote:
>>>>> Ruby users,
>>>>>
>>>>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
>>>>> AES-GCM mode [0].
>>>>>
>>>>> Does anyone volunteer to investigate the bug report and decide what to
>>>>> do about it for our Ruby package?
>>>> Thanks for the report Leo. I don't think much can be done about this until
>>>> a fix is released, no? It is unfortunately been around since March on that
>>>> GitHub page, hopefully the report on oss-sec will spur some action.
>>> Okay, do you volunteer to track this bug upstream? :)
>> Sure, OK.
> Ping :)
>
> The Ruby developers have committed a fix, apparently:
>
> http://seclists.org/oss-sec/2016/q3/680
Thanks for keeping on top of this. The difficulty is that the fix
released is not for the bundled openssl that comes with ruby itself, but
a separate repository.
There is a 'ruby_2_3 branch'[0] where fixes are backported. Do you think
it would make sense to have a 'ruby-2.3-backports' package as a
replacement for the 'ruby-2.3' package which tracks the 'ruby_2_3'
branch? I see there are other fixes in there that probably have security
implications.
The issue at hand has not yet been backported though, and the patch for
fixing it does not apply to either the released 2.3.1 or even the
backport branch. So, we wait, I think. I suspect that my trying to
backport the patch myself is likely to do more harm than good. WDYT?
ben
[0]: https://github.com/ruby/ruby/tree/ruby_2_3
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-09-30 23:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-20 2:06 Ruby / OpenSSL security issue Leo Famulari
2016-09-20 5:17 ` Ben Woodcroft
2016-09-20 19:05 ` Leo Famulari
2016-09-21 1:19 ` Ben Woodcroft
2016-09-30 17:32 ` Leo Famulari
2016-09-30 23:46 ` Ben Woodcroft
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).