Ruby / OpenSSL security issue

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* Ruby / OpenSSL security issue
@ 2016-09-20  2:06 Leo Famulari
  2016-09-20  5:17 ` Ben Woodcroft
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-20  2:06 UTC (permalink / raw)
  To: guix-devel

Ruby users,

There is a bug report on Ruby's OpenSSL module regarding IV re-use in
AES-GCM mode [0].

Does anyone volunteer to investigate the bug report and decide what to
do about it for our Ruby package?

[0]
http://seclists.org/oss-sec/2016/q3/562
https://github.com/ruby/openssl/issues/49

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Ruby / OpenSSL security issue
  2016-09-20  2:06 Ruby / OpenSSL security issue Leo Famulari
@ 2016-09-20  5:17 ` Ben Woodcroft
  2016-09-20 19:05   ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-20  5:17 UTC (permalink / raw)
  To: Leo Famulari, guix-devel



On 20/09/16 12:06, Leo Famulari wrote:
> Ruby users,
>
> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> AES-GCM mode [0].
>
> Does anyone volunteer to investigate the bug report and decide what to
> do about it for our Ruby package?

Thanks for the report Leo.  I don't think much can be done about this 
until a fix is released, no? It is unfortunately been around since March 
on that GitHub page, hopefully the report on oss-sec will spur some action.

ben

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Ruby / OpenSSL security issue
  2016-09-20  5:17 ` Ben Woodcroft
@ 2016-09-20 19:05   ` Leo Famulari
  2016-09-21  1:19     ` Ben Woodcroft
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-20 19:05 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> On 20/09/16 12:06, Leo Famulari wrote:
> > Ruby users,
> > 
> > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > AES-GCM mode [0].
> > 
> > Does anyone volunteer to investigate the bug report and decide what to
> > do about it for our Ruby package?
> 
> Thanks for the report Leo.  I don't think much can be done about this until
> a fix is released, no? It is unfortunately been around since March on that
> GitHub page, hopefully the report on oss-sec will spur some action.

Okay, do you volunteer to track this bug upstream? :)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Ruby / OpenSSL security issue
  2016-09-20 19:05   ` Leo Famulari
@ 2016-09-21  1:19     ` Ben Woodcroft
  2016-09-30 17:32       ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-21  1:19 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On 21/09/16 05:05, Leo Famulari wrote:
> On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
>> On 20/09/16 12:06, Leo Famulari wrote:
>>> Ruby users,
>>>
>>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
>>> AES-GCM mode [0].
>>>
>>> Does anyone volunteer to investigate the bug report and decide what to
>>> do about it for our Ruby package?
>> Thanks for the report Leo.  I don't think much can be done about this until
>> a fix is released, no? It is unfortunately been around since March on that
>> GitHub page, hopefully the report on oss-sec will spur some action.
> Okay, do you volunteer to track this bug upstream? :)

Sure, OK.
ben

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Ruby / OpenSSL security issue
  2016-09-21  1:19     ` Ben Woodcroft
@ 2016-09-30 17:32       ` Leo Famulari
  2016-09-30 23:46         ` Ben Woodcroft
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-09-30 17:32 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
> On 21/09/16 05:05, Leo Famulari wrote:
> > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> > > On 20/09/16 12:06, Leo Famulari wrote:
> > > > Ruby users,
> > > > 
> > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > > > AES-GCM mode [0].
> > > > 
> > > > Does anyone volunteer to investigate the bug report and decide what to
> > > > do about it for our Ruby package?
> > > Thanks for the report Leo.  I don't think much can be done about this until
> > > a fix is released, no? It is unfortunately been around since March on that
> > > GitHub page, hopefully the report on oss-sec will spur some action.
> > Okay, do you volunteer to track this bug upstream? :)
> 
> Sure, OK.

Ping :)

The Ruby developers have committed a fix, apparently:

http://seclists.org/oss-sec/2016/q3/680

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Ruby / OpenSSL security issue
  2016-09-30 17:32       ` Leo Famulari
@ 2016-09-30 23:46         ` Ben Woodcroft
  0 siblings, 0 replies; 6+ messages in thread
From: Ben Woodcroft @ 2016-09-30 23:46 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On 01/10/16 03:32, Leo Famulari wrote:
> On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
>> On 21/09/16 05:05, Leo Famulari wrote:
>>> On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
>>>> On 20/09/16 12:06, Leo Famulari wrote:
>>>>> Ruby users,
>>>>>
>>>>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in
>>>>> AES-GCM mode [0].
>>>>>
>>>>> Does anyone volunteer to investigate the bug report and decide what to
>>>>> do about it for our Ruby package?
>>>> Thanks for the report Leo.  I don't think much can be done about this until
>>>> a fix is released, no? It is unfortunately been around since March on that
>>>> GitHub page, hopefully the report on oss-sec will spur some action.
>>> Okay, do you volunteer to track this bug upstream? :)
>> Sure, OK.
> Ping :)
>
> The Ruby developers have committed a fix, apparently:
>
> http://seclists.org/oss-sec/2016/q3/680

Thanks for keeping on top of this. The difficulty is that the fix 
released is not for the bundled openssl that comes with ruby itself, but 
a separate repository.

There is a 'ruby_2_3 branch'[0] where fixes are backported. Do you think 
it would make sense to have a 'ruby-2.3-backports' package as a 
replacement for the 'ruby-2.3' package which tracks the 'ruby_2_3' 
branch? I see there are other fixes in there that probably have security 
implications.

The issue at hand has not yet been backported though, and the patch for 
fixing it does not apply to either the released 2.3.1 or even the 
backport branch. So, we wait, I think. I suspect that my trying to 
backport the patch myself is likely to do more harm than good. WDYT?

ben

[0]: https://github.com/ruby/ruby/tree/ruby_2_3

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-09-30 23:46 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-20  2:06 Ruby / OpenSSL security issue Leo Famulari
2016-09-20  5:17 ` Ben Woodcroft
2016-09-20 19:05   ` Leo Famulari
2016-09-21  1:19     ` Ben Woodcroft
2016-09-30 17:32       ` Leo Famulari
2016-09-30 23:46         ` Ben Woodcroft

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).