Your submission was sent successfully! Close

CVE-2011-2705

Published: 5 August 2011

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Priority

Medium

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid
Released (1.8.7.249-2ubuntu0.1)
maverick
Released (1.8.7.299-2ubuntu0.1)
natty
Released (1.8.7.302-2ubuntu0.1)
oneiric Not vulnerable
(1.8.7.352-2)
precise Not vulnerable

quantal Not vulnerable

raring Not vulnerable

saucy Not vulnerable

upstream
Released (1.8.7.352-2)
Patches:
upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
vendor: https://rhn.redhat.com/errata/RHSA-2011-1581.html
ruby1.9
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored
(reached end-of-life)
maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

raring Does not exist

saucy Does not exist

upstream Needs triage

ruby1.9.1
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Not vulnerable
(1.9.2.290-2)
precise Not vulnerable

quantal Not vulnerable

raring Not vulnerable

saucy Not vulnerable

upstream
Released (1.9.2.290-2)