CVE for encryptor 2.0.0

[tarcieri]

I opened a ruby-advisory-db issue for the GCM nonce reuse issue in encryptor 2.0.0:

rubysec/ruby-advisory-db#305

The first step is to obtain a CVE. Are you interested in doing that?

https://iwantacve.org

If not I can get one on your behalf.

[saghaulor]

@tarcieri This is the best course of action. I should have done that when the issue was exposed. Thanks for bringing it to my attention.

I've added a comment to your rubysec PR pointing to the issue where the bug was originally reported.

I'll try to open a CVE myself, if I am unable to figure it out I'll reach out for you help. Thank you.

[tarcieri]

Awesome, thanks!

[reedloden]

Did a CVE ever get assigned to this? If not, can assign one...

[jasnow]

@tarcieri, @saghaulor,

As part of my ruby-advisory-db repo work, I would like to offer my help to work with you in applying for a CVE for the Encryptor 2.0.0 issue covered by rubysec/ruby-advisory-db#305 and this issue.

To start this process, I have collected all of the data I could find. It is in a format similar to ruby-advisory-db advisories.

• https://github.com/jasnow/draft-pre-cve-advs/blob/main/gems/ID-305-encryptor.yml

Feel free to use the data or replace it as needed. I will help out as I can.

Thanks

CC: @reedloden @postmodern