Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Feb 2014 14:02:27 -0800
From:      Pierre Carrier <pierre.carrier@airbnb.com>
To:        rory@berecruited.com, pkgsrc-security@netbsd.org, bugbusters@freebsd.org,  secalert@redhat.com, product.security@airbnb.com
Subject:   Insufficient salting in the net-ldap Ruby gem
Message-ID:  <CAM7LUF4MuEJ0DWKhDZ=P=Z7HME_F18a8K4LeSehccmPQP8xHpg@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello,

SSHA passwords generated by the net-ldap Ruby gem use a salt between
"0" and "999", only providing 10 bits of entropy.

This is an attack vector, making attacks based on rainbow tables
significantly easier than with a strong salt.

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb#L29

This E-mail is sent to the current upstream maintainer and all vendors
that distribute a version of that gem.
Your version might not be affected; if not, sorry for the noise.

Best,

-- 
Pierre Carrier
Site Reliability Engineer, Airbnb



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM7LUF4MuEJ0DWKhDZ=P=Z7HME_F18a8K4LeSehccmPQP8xHpg>