Описание
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby2.3 | fixed | 2.3.3-1+deb9u1 | package | |
| ruby2.1 | removed | package | ||
| ruby-attr-encrypted | fixed | 3.0.1-2 | package | |
| ruby-encryptor | fixed | 3.0.0-1 | package |
Примечания
https://github.com/ruby/openssl/issues/49
https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
https://github.com/attr-encrypted/attr_encrypted/issues/203
https://github.com/attr-encrypted/encryptor/pull/22
EPSS
Связанные уязвимости
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
OpenSSL gem for Ruby using inadequate encryption strength
EPSS