* Ruby / OpenSSL security issue @ 2016-09-20 2:06 Leo Famulari 2016-09-20 5:17 ` Ben Woodcroft 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2016-09-20 2:06 UTC (permalink / raw) To: guix-devel Ruby users, There is a bug report on Ruby's OpenSSL module regarding IV re-use in AES-GCM mode [0]. Does anyone volunteer to investigate the bug report and decide what to do about it for our Ruby package? [0] http://seclists.org/oss-sec/2016/q3/562 https://github.com/ruby/openssl/issues/49 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue 2016-09-20 2:06 Ruby / OpenSSL security issue Leo Famulari @ 2016-09-20 5:17 ` Ben Woodcroft 2016-09-20 19:05 ` Leo Famulari 0 siblings, 1 reply; 6+ messages in thread From: Ben Woodcroft @ 2016-09-20 5:17 UTC (permalink / raw) To: Leo Famulari, guix-devel On 20/09/16 12:06, Leo Famulari wrote: > Ruby users, > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in > AES-GCM mode [0]. > > Does anyone volunteer to investigate the bug report and decide what to > do about it for our Ruby package? Thanks for the report Leo. I don't think much can be done about this until a fix is released, no? It is unfortunately been around since March on that GitHub page, hopefully the report on oss-sec will spur some action. ben ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue 2016-09-20 5:17 ` Ben Woodcroft @ 2016-09-20 19:05 ` Leo Famulari 2016-09-21 1:19 ` Ben Woodcroft 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2016-09-20 19:05 UTC (permalink / raw) To: Ben Woodcroft; +Cc: guix-devel On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote: > On 20/09/16 12:06, Leo Famulari wrote: > > Ruby users, > > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in > > AES-GCM mode [0]. > > > > Does anyone volunteer to investigate the bug report and decide what to > > do about it for our Ruby package? > > Thanks for the report Leo. I don't think much can be done about this until > a fix is released, no? It is unfortunately been around since March on that > GitHub page, hopefully the report on oss-sec will spur some action. Okay, do you volunteer to track this bug upstream? :) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue 2016-09-20 19:05 ` Leo Famulari @ 2016-09-21 1:19 ` Ben Woodcroft 2016-09-30 17:32 ` Leo Famulari 0 siblings, 1 reply; 6+ messages in thread From: Ben Woodcroft @ 2016-09-21 1:19 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel On 21/09/16 05:05, Leo Famulari wrote: > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote: >> On 20/09/16 12:06, Leo Famulari wrote: >>> Ruby users, >>> >>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in >>> AES-GCM mode [0]. >>> >>> Does anyone volunteer to investigate the bug report and decide what to >>> do about it for our Ruby package? >> Thanks for the report Leo. I don't think much can be done about this until >> a fix is released, no? It is unfortunately been around since March on that >> GitHub page, hopefully the report on oss-sec will spur some action. > Okay, do you volunteer to track this bug upstream? :) Sure, OK. ben ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue 2016-09-21 1:19 ` Ben Woodcroft @ 2016-09-30 17:32 ` Leo Famulari 2016-09-30 23:46 ` Ben Woodcroft 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2016-09-30 17:32 UTC (permalink / raw) To: Ben Woodcroft; +Cc: guix-devel On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote: > On 21/09/16 05:05, Leo Famulari wrote: > > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote: > > > On 20/09/16 12:06, Leo Famulari wrote: > > > > Ruby users, > > > > > > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in > > > > AES-GCM mode [0]. > > > > > > > > Does anyone volunteer to investigate the bug report and decide what to > > > > do about it for our Ruby package? > > > Thanks for the report Leo. I don't think much can be done about this until > > > a fix is released, no? It is unfortunately been around since March on that > > > GitHub page, hopefully the report on oss-sec will spur some action. > > Okay, do you volunteer to track this bug upstream? :) > > Sure, OK. Ping :) The Ruby developers have committed a fix, apparently: http://seclists.org/oss-sec/2016/q3/680 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ruby / OpenSSL security issue 2016-09-30 17:32 ` Leo Famulari @ 2016-09-30 23:46 ` Ben Woodcroft 0 siblings, 0 replies; 6+ messages in thread From: Ben Woodcroft @ 2016-09-30 23:46 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel On 01/10/16 03:32, Leo Famulari wrote: > On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote: >> On 21/09/16 05:05, Leo Famulari wrote: >>> On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote: >>>> On 20/09/16 12:06, Leo Famulari wrote: >>>>> Ruby users, >>>>> >>>>> There is a bug report on Ruby's OpenSSL module regarding IV re-use in >>>>> AES-GCM mode [0]. >>>>> >>>>> Does anyone volunteer to investigate the bug report and decide what to >>>>> do about it for our Ruby package? >>>> Thanks for the report Leo. I don't think much can be done about this until >>>> a fix is released, no? It is unfortunately been around since March on that >>>> GitHub page, hopefully the report on oss-sec will spur some action. >>> Okay, do you volunteer to track this bug upstream? :) >> Sure, OK. > Ping :) > > The Ruby developers have committed a fix, apparently: > > http://seclists.org/oss-sec/2016/q3/680 Thanks for keeping on top of this. The difficulty is that the fix released is not for the bundled openssl that comes with ruby itself, but a separate repository. There is a 'ruby_2_3 branch'[0] where fixes are backported. Do you think it would make sense to have a 'ruby-2.3-backports' package as a replacement for the 'ruby-2.3' package which tracks the 'ruby_2_3' branch? I see there are other fixes in there that probably have security implications. The issue at hand has not yet been backported though, and the patch for fixing it does not apply to either the released 2.3.1 or even the backport branch. So, we wait, I think. I suspect that my trying to backport the patch myself is likely to do more harm than good. WDYT? ben [0]: https://github.com/ruby/ruby/tree/ruby_2_3 ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-09-30 23:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-20 2:06 Ruby / OpenSSL security issue Leo Famulari 2016-09-20 5:17 ` Ben Woodcroft 2016-09-20 19:05 ` Leo Famulari 2016-09-21 1:19 ` Ben Woodcroft 2016-09-30 17:32 ` Leo Famulari 2016-09-30 23:46 ` Ben Woodcroft
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).