found 635878 1.8.7.302-2 close 635878 1.8.7.352-1 thanks On 29/07/11 at 12:05 +0200, Moritz Muehlenhoff wrote: > Package: ruby1.8 > Version: 1.8.7.352-1 > Severity: grave > Tags: security > > Please see the following posting on oss-security: > > -------- > > On 07/11/2011 02:07 PM, Ludwig Nussel wrote: > > > > > http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/ > > > http://redmine.ruby-lang.org/issues/4579 > > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713 > > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050 > > > > Looking at the above patches, there seems to be two issues here, > > perhaps > > it needs two CVE ids to be assigned? > > > > 1. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=31713 > > > > This one pertains to rand returning same values in forked processes. > > http://redmine.ruby-lang.org/issues/show/4338 > > This is a regression, as it was fixed in 1.8.6-p114, but re-appeared in > > 1.8.6-p399. > > Let's use CVE-2011-2686 for this one. > > > > > 2. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050 > > > > This is an issue in the securerandom.rb module. > > http://redmine.ruby-lang.org/issues/4579 > > > > Use CVE-2011-2705 for this.
Hi Moritz, I have verified that both issues are fixed in ruby1.8/1.8.7.352-1 (testing/unstable). The stable version is likely to be affected. Updating the status to reflect that. Lucas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
