diff -u ruby1.8-1.8.4/debian/changelog ruby1.8-1.8.4/debian/changelog --- ruby1.8-1.8.4/debian/changelog +++ ruby1.8-1.8.4/debian/changelog @@ -1,3 +1,23 @@ +ruby1.8 (1.8.4-5ubuntu1.3) edgy-security; urgency=low + + * SECURITY UPDATE: From CVE: + The connect method in lib/net/http.rb in the (1) + Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not + verify that the commonName (CN) field in a server certificate matches the + domain name in an HTTPS request, which makes it easier for remote + attackers to intercept SSL transmissions via a man-in-the-middle attack or + spoofed web site. + The same issues are applying to other files. + * debian/patches/915_CVE-2007-5162.patch: Applied patch from upstream + (Link: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499 ) + * debian/patches/915_CVE-2007-5770.patch: Applied patch from upstream + (Link: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656 ) + * References: + CVE-2007-5162 + CVE-2007-5770 + + -- Stephan Hermann Wed, 21 Nov 2007 13:20:51 +0100 + ruby1.8 (1.8.4-5ubuntu1.2) edgy-security; urgency=low * SECURITY UPDATE: remote denial of service in CGI module. only in patch2: unchanged: --- ruby1.8-1.8.4.orig/debian/patches/915_CVE-2007-5162.patch +++ ruby1.8-1.8.4/debian/patches/915_CVE-2007-5162.patch @@ -0,0 +1,88 @@ +diff -ruN ruby-1.8.4-old/ext/openssl/lib/openssl/ssl.rb ruby-1.8.4/ext/openssl/lib/openssl/ssl.rb +--- ruby-1.8.4-old/ext/openssl/lib/openssl/ssl.rb 2007-11-21 13:07:47.488593000 +0100 ++++ ruby-1.8.4/ext/openssl/lib/openssl/ssl.rb 2007-11-21 13:12:08.503468054 +0100 +@@ -88,7 +88,7 @@ + end + } + end +- raise SSLError, "hostname not match" ++ raise SSLError, "hostname was not match with the server certificate" + end + end + +diff -ruN ruby-1.8.4-old/lib/net/http.rb ruby-1.8.4/lib/net/http.rb +--- ruby-1.8.4-old/lib/net/http.rb 2005-09-13 18:27:01.000000000 +0200 ++++ ruby-1.8.4/lib/net/http.rb 2007-11-21 13:10:02.496287221 +0100 +@@ -470,6 +470,7 @@ + @debug_output = nil + @use_ssl = false + @ssl_context = nil ++ @enable_post_connection_check = true + end + + def inspect +@@ -528,6 +529,10 @@ + + alias use_ssl use_ssl? #:nodoc: obsolete + ++ # specify enabling SSL server sertificate and hostname checking. ++ attr_accessor :enable_post_connection_check ++ ++ + # Opens TCP connection and HTTP session. + # + # When this method is called with block, gives a HTTP object +@@ -586,6 +591,14 @@ + HTTPResponse.read_new(@socket).value + end + s.connect ++ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE ++ begin ++ s.post_connection_check(@address) ++ rescue OpenSSL::SSL::SSLError => ex ++ raise ex if @enable_post_connection_check ++ warn ex.message ++ end ++ end + end + on_connect + end +diff -ruN ruby-1.8.4-old/lib/open-uri.rb ruby-1.8.4/lib/open-uri.rb +--- ruby-1.8.4-old/lib/open-uri.rb 2005-09-07 05:58:39.000000000 +0200 ++++ ruby-1.8.4/lib/open-uri.rb 2007-11-21 13:11:25.000989094 +0100 +@@ -97,6 +97,7 @@ + :progress_proc => true, + :content_length_proc => true, + :http_basic_authentication => true, ++ :ssl_enable_post_connection_check => true, + } + + def OpenURI.check_options(options) # :nodoc: +@@ -232,6 +233,10 @@ + if target.class == URI::HTTPS + require 'net/https' + http.use_ssl = true ++ http.enable_post_connection_check = ++ options.has_key?(:ssl_enable_post_connection_check) ? ++ options[:ssl_enable_post_connection_check] : ++ Options[:ssl_enable_post_connection_check] + http.verify_mode = OpenSSL::SSL::VERIFY_PEER + store = OpenSSL::X509::Store.new + store.set_default_paths +@@ -243,16 +248,6 @@ + + resp = nil + http.start { +- if target.class == URI::HTTPS +- # xxx: information hiding violation +- sock = http.instance_variable_get(:@socket) +- if sock.respond_to?(:io) +- sock = sock.io # 1.9 +- else +- sock = sock.instance_variable_get(:@socket) # 1.8 +- end +- sock.post_connection_check(target_host) +- end + req = Net::HTTP::Get.new(request_uri, header) + if options.include? :http_basic_authentication + user, pass = options[:http_basic_authentication] only in patch2: unchanged: --- ruby1.8-1.8.4.orig/debian/patches/915_CVE-2007-5770.patch +++ ruby1.8-1.8.4/debian/patches/915_CVE-2007-5770.patch @@ -0,0 +1,94 @@ +diff -ruN ruby-1.8.4-old/ext/openssl/lib/net/ftptls.rb ruby-1.8.4/ext/openssl/lib/net/ftptls.rb +--- ruby-1.8.4-old/ext/openssl/lib/net/ftptls.rb 2003-07-23 18:11:30.000000000 +0200 ++++ ruby-1.8.4/ext/openssl/lib/net/ftptls.rb 2007-11-21 13:18:16.024411759 +0100 +@@ -29,13 +29,23 @@ + + module Net + class FTPTLS < FTP ++ def connect(host, port=FTP_PORT) ++ @hostname = host ++ super ++ end ++ + def login(user = "anonymous", passwd = nil, acct = nil) ++ store = OpenSSL::X509::Store.new ++ store.set_default_paths + ctx = OpenSSL::SSL::SSLContext.new('SSLv23') ++ ctx.cert_store = store ++ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.key = nil + ctx.cert = nil + voidcmd("AUTH TLS") + @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) + @sock.connect ++ @sock.post_connection_check(@hostname) + super(user, passwd, acct) + voidcmd("PBSZ 0") + end +diff -ruN ruby-1.8.4-old/ext/openssl/lib/net/telnets.rb ruby-1.8.4/ext/openssl/lib/net/telnets.rb +--- ruby-1.8.4-old/ext/openssl/lib/net/telnets.rb 2004-12-20 04:49:16.000000000 +0100 ++++ ruby-1.8.4/ext/openssl/lib/net/telnets.rb 2007-11-21 13:18:40.525808236 +0100 +@@ -134,6 +134,9 @@ + @sock.verify_callback = @options['VerifyCallback'] + @sock.verify_depth = @options['VerifyDepth'] + @sock.connect ++ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE ++ @sock.post_connection_check(@options['Host']) ++ end + @ssl = true + end + '' +diff -ruN ruby-1.8.4-old/lib/net/imap.rb ruby-1.8.4/lib/net/imap.rb +--- ruby-1.8.4-old/lib/net/imap.rb 2005-02-22 17:58:33.000000000 +0100 ++++ ruby-1.8.4/lib/net/imap.rb 2007-11-21 13:20:08.030794832 +0100 +@@ -881,21 +881,9 @@ + @parser = ResponseParser.new + @sock = TCPSocket.open(host, port) + if usessl +- unless defined?(OpenSSL) +- raise "SSL extension not installed" +- end ++ start_tls_session(certs, verify) + @usessl = true + +- # verify the server. +- context = SSLContext::new() +- context.ca_file = certs if certs && FileTest::file?(certs) +- context.ca_path = certs if certs && FileTest::directory?(certs) +- context.verify_mode = VERIFY_PEER if verify +- if defined?(VerifyCallbackProc) +- context.verify_callback = VerifyCallbackProc +- end +- @sock = SSLSocket.new(@sock, context) +- @sock.connect # start ssl session. + else + @usessl = false + end +@@ -1323,6 +1311,27 @@ + end + private_class_method :u8tou16 + ++ def start_tls_session(certs, verify) ++ unless defined?(OpenSSL) ++ raise "SSL extension not installed" ++ end ++ if @sock.kind_of?(OpenSSL::SSL::SSLSocket) ++ raise RuntimeError, "already using SSL" ++ end ++ context = SSLContext::new() ++ context.ca_file = certs if certs && FileTest::file?(certs) ++ context.ca_path = certs if certs && FileTest::directory?(certs) ++ context.verify_mode = VERIFY_PEER if verify ++ if defined?(VerifyCallbackProc) ++ context.verify_callback = VerifyCallbackProc ++ end ++ @sock = SSLSocket.new(@sock, context) ++ @sock.sync_close = true ++ @sock.connect ++ @sock.post_connection_check(@host) if verify ++ end ++ ++ + class RawData # :nodoc: + def send_data(imap) + imap.send(:put_string, @data)