From owner-freebsd-bugbusters@FreeBSD.ORG  Wed Feb 12 22:02:50 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AC2E2845
 for <bugbusters@freebsd.org>; Wed, 12 Feb 2014 22:02:50 +0000 (UTC)
Received: from mail-we0-f170.google.com (mail-we0-f170.google.com
 [74.125.82.170])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 460751390
 for <bugbusters@freebsd.org>; Wed, 12 Feb 2014 22:02:49 +0000 (UTC)
Received: by mail-we0-f170.google.com with SMTP id w62so6695510wes.15
 for <bugbusters@freebsd.org>; Wed, 12 Feb 2014 14:02:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to
 :content-type;
 bh=Pxuz3KwTIsqpTKmh9wi/chJ8Tm+vvfXHblrtSdvBRoQ=;
 b=hrlzIOuxSw655Kq1vLNuWbGOfAqMq+C/9RFJiWQSYlxj7+NduvERQaBvTF3rSYqBFC
 i3hGxAYfW5rtwIdG5Od1EAADRartCNQ29am48W2Na+Vp04aA5frofwwf2vAWqVZm/DoP
 +T04bEJvgDVvzaKIMMyBwmTZZO0WEnVg8rMoPpcN8EY08cmuyZpZykDjuVySGDyJoiqD
 VhP35qocw8/ytdqo5MK5RLacnhdzpJnWMaC1INdV27K0TQF1XOSmKBug2TJv60mTKbIE
 BltAHkShDtNy0hz9p8HfzC/FUnZgmnrLhCeCLUmdTUmKXqyeVfwpX4NnWmBthYzg+4n8
 jfAw==
X-Gm-Message-State: ALoCoQmMhidvpOmVDOT00kxDm9JwBpT/hiU3sgsPJF3N+Kmzdo9gyAW/piU8qvMO8AZdYrAU9V7e
X-Received: by 10.194.6.8 with SMTP id w8mr32096894wjw.16.1392242567908; Wed,
 12 Feb 2014 14:02:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.241.168 with HTTP; Wed, 12 Feb 2014 14:02:27 -0800 (PST)
From: Pierre Carrier <pierre.carrier@airbnb.com>
Date: Wed, 12 Feb 2014 14:02:27 -0800
Message-ID: <CAM7LUF4MuEJ0DWKhDZ=P=Z7HME_F18a8K4LeSehccmPQP8xHpg@mail.gmail.com>
Subject: Insufficient salting in the net-ldap Ruby gem
To: rory@berecruited.com, pkgsrc-security@netbsd.org, bugbusters@freebsd.org, 
 secalert@redhat.com, product.security@airbnb.com
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 22:02:50 -0000

Hello,

SSHA passwords generated by the net-ldap Ruby gem use a salt between
"0" and "999", only providing 10 bits of entropy.

This is an attack vector, making attacks based on rainbow tables
significantly easier than with a strong salt.

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb#L29

This E-mail is sent to the current upstream maintainer and all vendors
that distribute a version of that gem.
Your version might not be affected; if not, sorry for the noise.

Best,

-- 
Pierre Carrier
Site Reliability Engineer, Airbnb