[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request for 'devise' ruby gem
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-01-29 6:16:08
Message-ID: 51076928.6040106 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/28/2013 05:38 PM, Reed Loden wrote:
> Devise is a flexible authentication solution for Rails.
> 
> Security announcement made earlier today:
> 
> http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
>
>  """" Using a specially crafted request, an attacker could trick
> the database type conversion code to return incorrect records. For
> some token values this could allow an attacker to bypass the proper
> checks and gain control of other accounts. """"
> 
> I don't see a CVE yet for this issue, so could one be assigned,
> please?
> 
> Thanks, ~reed

Please use CVE-2013-0233 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRB2knAAoJEBYNRVNeJnmT2LQQANxuOli0XQBJcfiXImV8pPP+
EAZnqDjGbt2o3S+P6JtNAOxj7hg9odtzJyC5ihvcBuu4GPjstSZgheaH1ICLiQTh
QRa5fHxCwJnoJpNcpDjI3wDjI4RJgD7q+bBPixB9r4hiAuM1DjNbmEBJeErrD1Kh
SxYKocivxMoEgIborwZwdcts3CtHQsaG8ARVILIdmFtLeFf2TtfrLZhGYxKXl/32
y5p6ixynUwRbG0c6WG82iakk3It0DmpwGxwZtncdJfgbPCcwLUp613AQCYZBuL0c
sENIK31j3fgDFU6yp4bLIxatx7H6IrZLW4SVfKk9qcWSalqVBD7SuywfByl/aRTe
dARz6FwvPQpqV3CSJ3y9YRKKGEYsnKlOtnBXsDY1huSxQ/pBDhjSBWuZcCBADhyd
CUBCx7U5W10iisER1f+t20ccppsP3NjLbHFa949uGXjpPOkqxImu23bgu7aBLp1Z
AhozbY644hRPty4kKHVLhuBlbz5s81StOkx+DNshOKC3iN+983IsWsky1oEj7XuW
pBBrnd9UXxOn9NvKiz6rJMy9GHxJgUAdchtF/ClKcCoPNlTXNvAYGJZiurH/Y/k4
ICQT40ESFtkDCGDHxJQHnusdj1eMhUf4NSFK7Hk363oo4HpLRKIv8343y3XK5FqZ
J8ixqRAGaYAaeeB/Jsu1
=mlUv
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]