Net::HTTPS Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby1.8 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Edgy |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Feisty |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Gutsy |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
ruby1.9 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Edgy |
Won't Fix
|
Undecided
|
Unassigned | ||
Feisty |
Won't Fix
|
Undecided
|
Unassigned | ||
Gutsy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ruby1.8
A vulnerability on the net/https library was reported.
Detailed information should be found at the original advisory:
<URL:http://
Impact
The vulnerability exists in the connect method within http.rb file which
fails to call post_connection
negotiated. Since the server certificate's CN is not validated against
the requested DNS name, the attacker can impersonate the target server
in a SSL connection. The integrity and confidentiality benefits of
SSL are thereby eliminated.
Vulnerable versions
1.8 series
* 1.8.4 and all prior versions
* 1.8.5-p113 and all prior versions
* 1.8.6-p110 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23
Solution
1.8 series
Please upgrade to 1.8.6-p111 or 1.8.5-p114.
* <URL:http://
* <URL:http://
Please note that a package that corrects this weakness may already be available through your package management software.
Development version (1.9 series)
Please update your Ruby to a version after 2006-09-23.
Changed in ruby1.8: | |
assignee: | nobody → shermann |
status: | New → In Progress |
Changed in ruby1.8: | |
assignee: | nobody → shermann |
status: | New → In Progress |
assignee: | nobody → shermann |
status: | New → In Progress |
assignee: | nobody → shermann |
status: | New → In Progress |
assignee: | nobody → shermann |
status: | New → In Progress |
assignee: | shermann → nobody |
status: | In Progress → Fix Released |
Changed in ruby1.9: | |
status: | New → Fix Released |
Dear Colleagues,
I'm creating some patches against ruby1.8 and ruby1.9 for gutsy and all other affected versions in our releases.