On Wed, 13 Apr 2022 11:18:50 +0100 Neil Williams <codeh...@debian.org> wrote: > Source: ruby-devise-two-factor > Version: 4.0.2-1 > Severity: important > Tags: security > X-Debbugs-Cc: codeh...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for ruby-devise-two-factor. > > CVE-2021-43177[0]: > | As a result of an incomplete fix for CVE-2015-7225, in versions of > | devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time- > | Password (OTP) for one (and only one) immediately trailing interval. > | CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-43177 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43177 > > Please adjust the affected versions in the BTS as needed. > > See also: https://security-tracker.debian.org/tracker/CVE-2015-7225 > and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466
Please note, I've filed the bug because the pull request linked to the CVE is currently open: https://github.com/tinfoil/devise-two-factor/pull/108 However, there is a comment that this has been fixed in 4.0.2 but no link to the fixing commit. It is possible that https://github.com/tinfoil/devise-two-factor/commit/64576bb9e7d29800c5f92bb86fb6ecff91ad6105 is the fixing commit but this is not clear. -- Neil Williams ============= https://linux.codehelp.co.uk/
pgpFpix0YLbZV.pgp
Description: OpenPGP digital signature