search

attr-encrypted / encryptor

A simple wrapper for the standard ruby OpenSSL library
MIT License
337 stars 51 forks source link

CVE for encryptor 2.0.0 #30

Open tarcieri opened 6 years ago

tarcieri commented 6 years ago

I opened a ruby-advisory-db issue for the GCM nonce reuse issue in encryptor 2.0.0:

https://github.com/rubysec/ruby-advisory-db/issues/305

The first step is to obtain a CVE. Are you interested in doing that?

https://iwantacve.org

If not I can get one on your behalf.

saghaulor commented 6 years ago

@tarcieri This is the best course of action. I should have done that when the issue was exposed. Thanks for bringing it to my attention.

I've added a comment to your rubysec PR pointing to the issue where the bug was originally reported.

I'll try to open a CVE myself, if I am unable to figure it out I'll reach out for you help. Thank you.

tarcieri commented 6 years ago

Awesome, thanks!

reedloden commented 5 years ago

Did a CVE ever get assigned to this? If not, can assign one...

jasnow commented 1 year ago

@tarcieri, @saghaulor,

As part of my ruby-advisory-db repo work, I would like to offer my help to work with you in applying for a CVE for the Encryptor 2.0.0 issue covered by https://github.com/rubysec/ruby-advisory-db/issues/305 and this issue.

To start this process, I have collected all of the data I could find. It is in a format similar to ruby-advisory-db advisories.

Feel free to use the data or replace it as needed. I will help out as I can.

Thanks

CC: @reedloden @postmodern