260006 – (CVE-2009-0642) <dev-lang/ruby-{1.8.6_p287-r{5, 12}, 1.8.7_p72-r2}: X.509 certificate spoofing vulnerability (CVE-2009-0642)

Bug 260006 (CVE-2009-0642) - <dev-lang/ruby-{1.8.6_p287-r{5, 12}, 1.8.7_p72-r2}: X.509 certificate spoofing vulnerability (CVE-2009-0642)

Summary: <dev-lang/ruby-{1.8.6_p287-r{5, 12}, 1.8.7_p72-r2}: X.509 certificate spoofin...

Status:	RESOLVED FIXED

Alias:	CVE-2009-0642

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://redmine.ruby-lang.org/issues/s...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-02-23 13:47 UTC by Alex Legler (RETIRED)
Modified:	2009-02-25 17:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-02-23 13:47:11 UTC

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.

Comment 1 Alex Legler (RETIRED) archtester

2009-02-23 14:16:05 UTC

dev-lang/ruby-1.8.6_p287-r5 and -12, and 1.8.7_p72-r2 are now in the tree, fixing this issue.

Arches, please stabilize 1.8.6_p287-*r5*.

Comment 2 Tobias Klausmann (RETIRED) gentoo-dev

2009-02-23 14:58:40 UTC

Stable on alpha.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-23 16:29:56 UTC

Stable for HPPA.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2009-02-23 18:04:48 UTC

amd64 stable, after Alex forced me multiple times.

Comment 5 Brent Baude (RETIRED) gentoo-dev

2009-02-23 18:12:00 UTC

ppc64 done

Comment 6 Alex Legler (RETIRED) archtester

2009-02-23 18:21:08 UTC

(In reply to comment #4)
> amd64 stable, after Alex forced me multiple times.

Yayaya, stop whining. :p

(Not a senseless update, fixing summary at the same time ;) )

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2009-02-25 14:41:05 UTC

arm/ia64/s390/sh/sparc/x86 stable

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2009-02-25 16:31:16 UTC

ppc stable

Comment 9 Alex Legler (RETIRED) archtester

2009-02-25 16:42:32 UTC

GLSA voting, please.

[If you allow me to cast a vote, I would say no.]

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2009-02-25 17:00:02 UTC

Practically unused, NO -- closing.