From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: Ruby / OpenSSL security issue
Date: Fri, 30 Sep 2016 13:32:05 -0400
Message-ID: <20160930173205.GA30775@jasmine>
References: <20160920020636.GA17224@jasmine>
	<572d28c9-2d87-faa8-651e-cfd8698c3125@uq.edu.au>
	<20160920190502.GB16683@jasmine>
	<a2f44e53-5efd-3bc7-7880-0dd2ac1f21b9@uq.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57147)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bq1fa-00021L-KJ
	for guix-devel@gnu.org; Fri, 30 Sep 2016 13:32:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bq1fW-0005Iz-CO
	for guix-devel@gnu.org; Fri, 30 Sep 2016 13:32:21 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:34382)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bq1fV-0005EV-3S
	for guix-devel@gnu.org; Fri, 30 Sep 2016 13:32:18 -0400
Content-Disposition: inline
In-Reply-To: <a2f44e53-5efd-3bc7-7880-0dd2ac1f21b9@uq.edu.au>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ben Woodcroft <b.woodcroft@uq.edu.au>
Cc: guix-devel@gnu.org

On Wed, Sep 21, 2016 at 11:19:45AM +1000, Ben Woodcroft wrote:
> On 21/09/16 05:05, Leo Famulari wrote:
> > On Tue, Sep 20, 2016 at 03:17:42PM +1000, Ben Woodcroft wrote:
> > > On 20/09/16 12:06, Leo Famulari wrote:
> > > > Ruby users,
> > > > 
> > > > There is a bug report on Ruby's OpenSSL module regarding IV re-use in
> > > > AES-GCM mode [0].
> > > > 
> > > > Does anyone volunteer to investigate the bug report and decide what to
> > > > do about it for our Ruby package?
> > > Thanks for the report Leo.  I don't think much can be done about this until
> > > a fix is released, no? It is unfortunately been around since March on that
> > > GitHub page, hopefully the report on oss-sec will spur some action.
> > Okay, do you volunteer to track this bug upstream? :)
> 
> Sure, OK.

Ping :)

The Ruby developers have committed a fix, apparently:

http://seclists.org/oss-sec/2016/q3/680