-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-0292 #89
Comments
not sure what kind of checking this sonarqube does, but the quote references "crypto/evp/encode.c" - there is no C-code in jopenssl.jar. parts of jopenssl is a re-implementation of openssl in java, others parts use bouncy castle libraries. how does sonarqube thinks the jar is openssl ? |
maybe they're just checking our emulated JRuby-OpenSSL should not be subject to any of those issues. |
@mkristian, @kares : thanks your reply. I have confirmed with guys of sonarqube, the rule "Using Components with Known Vulnerabilities." is not from sonarqube plugin, is from a third-party plugin, I will post this issue to the provider of this plugin. |
I used the latest version 0.9.16-java of jruby-openssl gem in my project, but when I use sonarqube to scan my code, it reports many ""Using Components with Known Vulnerabilities.". issues caused by jruby-openssl, for example CVE-2015-0292, I want to ask if jruby-openssl 0.9.16-java version subject to the CVE-2015-0292, CVE-2014-3567,.. vulnerability? which open-ssl version does our jruby-openssl 0.9.16 map to?
Filename: jopenssl.jar | Reference: CVE-2015-0292 | CVSS Score: 7.5 | Category: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
The text was updated successfully, but these errors were encountered: