Bugzilla Bug 199191

CVE-2007-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5770):
  The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5)
  Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName
  (CN) field in a server certificate matches the domain name in a request sent
  over SSL, which makes it easier for remote attackers to intercept SSL
  transmissions via a man-in-the-middle attack or spoofed web site, different
  components than CVE-2007-5162.

Ruby, can you confirm that these modules were fixed in the update in bug 194236
or do they need additional patching?

ruby, please advise.

(In reply to comment #2)
> ruby, please advise.
> 

*ping*

Sorry for the delay. Richard has been working on this but he has not been
online for several weeks now, and I don't know much about this.

Judging from the redhat report this issue is similar to bug 194236 but for the
other services using SSL. So: more patching is needed. Redhat bug
https://bugzilla.redhat.com/show_bug.cgi?id=362081 seems to be the patch
required. 

The patch linked is against ruby trunk, not the 1.8 branch, I've sent an email
to ruby-core to see what they say. Sorry for the delay.

I've added =dev-lang/ruby-1.8.6_p111. Arches please stabilise.

x86 stable

ppc and ppc64 done

dev-lang/ruby-1.8.6_p111-r1 marked stable for HPPA.

Just to be clear I was asking for 1.8.6_p111 to be stabled, not 1.8.6_p111-r1.
Jer, I've added hppa back so you see this, but I don't think the world is going
to end, -r1 has some more bugfixes from upstream and the ebuild has been
reworked a little, but should still be basically fine. -r0 specifically only
has the security changes in it.

(In reply to comment #10)
> Just to be clear I was asking for 1.8.6_p111 to be stabled

So I told exactly which version I stabled. :)
I can mark -r0 for you as well if you like...

alpha/ia64/sparc stable

amd64 stable

All supported arches done, vote now.

Similar to the issue in bug 194236, voting NO.

tend to say no

no too, closing.