CVE-2014-2734
Published: 24 April 2014
** DISPUTED ** The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher.
Notes
Author | Note |
---|---|
mdeslaur | this is disputed |
Priority
Status
Package | Release | Status |
---|---|---|
ruby1.8 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
saucy |
Ignored
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
ruby1.9 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
saucy |
Ignored
|
|
trusty |
Does not exist
(trusty was ignored)
|
|
upstream |
Needed
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
saucy |
Ignored
|
|
trusty |
Does not exist
(trusty was ignored)
|
|
upstream |
Needed
|