Ubuntu
ruby1.8 package

[ruby] multiple vulnerabilities

Bug #165140 reported by disabled.user
This bug report is a duplicate of:  Bug #149616: Net::HTTPS Vulnerability. Edit Remove
254
Affects Status Importance Assigned to Milestone
libopenssl-ruby (Ubuntu)
New
Undecided
Unassigned
ruby1.8 (Ubuntu)
New
Undecided
Unassigned
ruby1.9 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: ruby1.8

References:
http://www.debian.org/security/2007/dsa-1410
http://www.debian.org/security/2007/dsa-1411
http://www.debian.org/security/2007/dsa-1412

Quoting CVE-2007-5162:
"The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site."

Quoting CVE-2007-5770:
"The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162."

CVE References

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.