[DRE-maint] Bug#742706: ruby-net-ldap: CVE-2014-0083
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 28 19:32:06 UTC 2014
Hi Jonas, hi Moritz,
On Fri, Mar 28, 2014 at 07:49:18PM +0100, Jonas Genannt wrote:
> Hello Moritz,
>
> thanks for your report. I have checked the version in Debian, and I think they are not
> affected by this SSHA salt problem:
>
>
> http://anonscm.debian.org/gitweb/?p=pkg-ruby-extras/ruby-net-ldap.git;a=blob;f=lib/net/ldap/password.rb;h=503c7fe6b30870a7a33890f74b1da060cff40399;hb=HEAD
>
> Upstream (newer version) with SSHA:
> https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb
>
> I think we can close the bug?
I think you are right. The SSHA support was included upstream in
v0.5.0 according to git blame. So as long in Debian we do not have an
upload of current version of ruby-net-ldap we could close this bug.
I have marked the entry as not-affected but added the above note about
version introducing the support.
AFAICS (only from a very quick look) upstream has not yet fixed this
issue.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list