Net::HTTPS Vulnerability
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ruby1.8 (Ubuntu) |
Undecided
|
Unassigned | |||
| Dapper |
Undecided
|
Stephan Ruegamer | |||
| Edgy |
Undecided
|
Stephan Ruegamer | |||
| Feisty |
Undecided
|
Stephan Ruegamer | |||
| Gutsy |
Undecided
|
Stephan Ruegamer | |||
| Hardy |
Undecided
|
Unassigned | |||
| ruby1.9 (Ubuntu) |
Undecided
|
Unassigned | |||
| Dapper |
Undecided
|
Unassigned | |||
| Edgy |
Undecided
|
Unassigned | |||
| Feisty |
Undecided
|
Unassigned | |||
| Gutsy |
Undecided
|
Unassigned | |||
| Hardy |
Undecided
|
Unassigned | |||
Bug Description
Binary package hint: ruby1.8
A vulnerability on the net/https library was reported.
Detailed information should be found at the original advisory:
<URL:http://
Impact
The vulnerability exists in the connect method within http.rb file which
fails to call post_connection
negotiated. Since the server certificate's CN is not validated against
the requested DNS name, the attacker can impersonate the target server
in a SSL connection. The integrity and confidentiality benefits of
SSL are thereby eliminated.
Vulnerable versions
1.8 series
* 1.8.4 and all prior versions
* 1.8.5-p113 and all prior versions
* 1.8.6-p110 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23
Solution
1.8 series
Please upgrade to 1.8.6-p111 or 1.8.5-p114.
* <URL:http://
* <URL:http://
Please note that a package that corrects this weakness may already be available through your package management software.
Development version (1.9 series)
Please update your Ruby to a version after 2006-09-23.
| Stephan Ruegamer (sadig) wrote : | #1 |
| Stephan Ruegamer (sadig) wrote : | #2 |
| Stephan Ruegamer (sadig) wrote : | #3 |
Just for your information:
The patches against 1.8.5 for CVE-2007-5162 you can find here: http://
The patches against 1.8.6 for CVE-2007-5162 you can find here:
http://
For CVE-2007-5770 you can find here:
http://
smtp.rb and pop.rb are not affected in our releases, because until then they didn't have any SSL operations enabled. That was changed later.
Regards,
\sh
| Stephan Ruegamer (sadig) wrote : | #4 |
| Changed in ruby1.8: | |
| assignee: | nobody → shermann |
| status: | New → In Progress |
| Stephan Ruegamer (sadig) wrote : | #5 |
| Stephan Ruegamer (sadig) wrote : | #6 |
| Changed in ruby1.8: | |
| assignee: | nobody → shermann |
| status: | New → In Progress |
| assignee: | nobody → shermann |
| status: | New → In Progress |
| assignee: | nobody → shermann |
| status: | New → In Progress |
| assignee: | nobody → shermann |
| status: | New → In Progress |
| assignee: | shermann → nobody |
| status: | In Progress → Fix Released |
| Changed in ruby1.9: | |
| status: | New → Fix Released |
| Kees Cook (kees) wrote : | #7 |
Thanks for these debdiffs! I had to adjust the feisty patch (it was not verifying https by default -- the others were). A new script in qa-regression-
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.1
---------------
ruby1.8 (1.8.6.
* SECURITY UPDATE: SSL connections did not check commonName early
enough, possibly allowing sensitive information to be exposed.
* debian/
http://
* debian/
http://
* References:
CVE-2007-5162 CVE-2007-5770 (LP: #149616)
-- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 19:42:37 +0100
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.1
---------------
ruby1.8 (1.8.5-4ubuntu2.1) feisty-security; urgency=low
* SECURITY UPDATE: SSL connections did not check commonName early
enough, possibly allowing sensitive information to be exposed.
* debian/
http://
* debian/
http://
* References:
CVE-2007-5162 CVE-2007-5770 (LP: #149616)
-- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 19:42:37 +0100
| Changed in ruby1.8: | |
| status: | In Progress → Fix Released |
| status: | In Progress → Fix Released |
| Kees Cook (kees) wrote : | #10 |
ruby1.8 has been released with: http://
| Changed in ruby1.8: | |
| status: | In Progress → Fix Released |
| status: | In Progress → Fix Released |
| Hew McLachlan (hew) wrote : | #11 |
Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.
| Changed in ruby1.9: | |
| status: | New → Won't Fix |
| LumpyCustard (orangelumpycustard) wrote : | #12 |
Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.
| Hew McLachlan (hew) wrote : | #13 |
Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.
| Changed in ruby1.9: | |
| status: | New → Won't Fix |
| Sergio Zanchetta (primes2h) wrote : | #14 |
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://
Gutsy task.
| Changed in ruby1.9 (Ubuntu Gutsy): | |
| status: | New → Won't Fix |
| Jamie Strandboge (jdstrand) wrote : | #15 |
Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https:/
releases.
Please feel free to report any other bugs you may find.
| Changed in ruby1.9 (Ubuntu Dapper): | |
| status: | New → Won't Fix |
Dear Colleagues,
I'm creating some patches against ruby1.8 and ruby1.9 for gutsy and all other affected versions in our releases.