Ubuntu
ruby1.8 package

Net::HTTPS Vulnerability

  1. Hardy (8.04)
  2. Bug #149616
Bug #149616 reported by Geoff Jacobsen
266
Affects Status Importance Assigned to Milestone
ruby1.8 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Stephan Rügamer
Edgy
Fix Released
Undecided
Stephan Rügamer
Feisty
Fix Released
Undecided
Stephan Rügamer
Gutsy
Fix Released
Undecided
Stephan Rügamer
Hardy
Fix Released
Undecided
Unassigned
ruby1.9 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: ruby1.8

A vulnerability on the net/https library was reported.

Detailed information should be found at the original advisory:
<URL:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt>

Impact

The vulnerability exists in the connect method within http.rb file which
fails to call post_connection_check after the SSL connection has been
negotiated. Since the server certificate's CN is not validated against
the requested DNS name, the attacker can impersonate the target server
in a SSL connection. The integrity and confidentiality benefits of
SSL are thereby eliminated.
Vulnerable versions

1.8 series

        * 1.8.4 and all prior versions

        * 1.8.5-p113 and all prior versions

        * 1.8.6-p110 and all prior versions

Development version (1.9 series)

    All versions before 2006-09-23

Solution

1.8 series

    Please upgrade to 1.8.6-p111 or 1.8.5-p114.

        * <URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz>

        * <URL:http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p114.tar.gz>

    Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)

    Please update your Ruby to a version after 2006-09-23.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Dear Colleagues,

I'm creating some patches against ruby1.8 and ruby1.9 for gutsy and all other affected versions in our releases.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Just for your information:

The patches against 1.8.5 for CVE-2007-5162 you can find here: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502
The patches against 1.8.6 for CVE-2007-5162 you can find here:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504

For CVE-2007-5770 you can find here:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656

smtp.rb and pop.rb are not affected in our releases, because until then they didn't have any SSL operations enabled. That was changed later.

Regards,

\sh

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Stephan Rügamer (sruegamer)
Changed in ruby1.8:
assignee: nobody → shermann
status: New → In Progress
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
William Grant (wgrant)
Changed in ruby1.8:
assignee: nobody → shermann
status: New → In Progress
assignee: nobody → shermann
status: New → In Progress
assignee: nobody → shermann
status: New → In Progress
assignee: nobody → shermann
status: New → In Progress
assignee: shermann → nobody
status: In Progress → Fix Released
Changed in ruby1.9:
status: New → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for these debdiffs! I had to adjust the feisty patch (it was not verifying https by default -- the others were). A new script in qa-regression-testing has been written to verify the https and imaps changes. This is being built now and should be published shortly.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.6.36-1ubuntu3.1

---------------
ruby1.8 (1.8.6.36-1ubuntu3.1) gutsy-security; urgency=low

  * SECURITY UPDATE: SSL connections did not check commonName early
    enough, possibly allowing sensitive information to be exposed.
  * debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
    http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
  * debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
    http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
  * References:
    CVE-2007-5162 CVE-2007-5770 (LP: #149616)

 -- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 19:42:37 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.5-4ubuntu2.1

---------------
ruby1.8 (1.8.5-4ubuntu2.1) feisty-security; urgency=low

  * SECURITY UPDATE: SSL connections did not check commonName early
    enough, possibly allowing sensitive information to be exposed.
  * debian/patches/950_CVE-2007-5162.patch: upstream fixes, from
    http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
  * debian/patches/951_CVE-2007-5770.patch: upstream fixes, from
    http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
  * References:
    CVE-2007-5162 CVE-2007-5770 (LP: #149616)

 -- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 19:42:37 +0100

Changed in ruby1.8:
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

ruby1.8 has been released with: http://www.ubuntu.com/usn/usn-594-1

Changed in ruby1.8:
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in ruby1.9:
status: New → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in ruby1.9:
status: New → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in ruby1.9 (Ubuntu Gutsy):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ruby1.9 (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.