199191 CVE-2007-5770 2007-11-14 23:17 0000 dev-lang/ruby < 1.8.6_p111 SSL commonName (CN) verficiation in Net::ftptls, telnets, imap, pop, smtp (CVE-2007-5770) 2008-01-10 09:09:45 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656 B4 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org mips@gentoo.org ruby@gentoo.org rbu@gentoo.org 2007-11-14 23:17:06 0000 CVE-2007-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5770): The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. rbu@gentoo.org 2007-11-14 23:19:18 0000 Ruby, can you confirm that these modules were fixed in the update in bug 194236 or do they need additional patching? rbu@gentoo.org 2007-11-20 00:48:45 0000 ruby, please advise. py@gentoo.org 2007-12-08 23:54:07 0000 (In reply to comment #2) > ruby, please advise. > *ping* graaff@gentoo.org 2007-12-09 09:59:36 0000 Sorry for the delay. Richard has been working on this but he has not been online for several weeks now, and I don't know much about this. Judging from the redhat report this issue is similar to bug 194236 but for the other services using SSL. So: more patching is needed. Redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=362081 seems to be the patch required. rbrown@gentoo.org 2007-12-09 17:43:19 0000 The patch linked is against ruby trunk, not the 1.8 branch, I've sent an email to ruby-core to see what they say. Sorry for the delay. rbrown@gentoo.org 2007-12-23 10:45:03 0000 I've added =dev-lang/ruby-1.8.6_p111. Arches please stabilise. maekke@gentoo.org 2007-12-23 13:46:27 0000 x86 stable ranger@gentoo.org 2007-12-23 17:16:11 0000 ppc and ppc64 done jer@gentoo.org 2007-12-24 02:39:00 0000 dev-lang/ruby-1.8.6_p111-r1 marked stable for HPPA. rbrown@gentoo.org 2007-12-24 08:36:11 0000 Just to be clear I was asking for 1.8.6_p111 to be stabled, not 1.8.6_p111-r1. Jer, I've added hppa back so you see this, but I don't think the world is going to end, -r1 has some more bugfixes from upstream and the ebuild has been reworked a little, but should still be basically fine. -r0 specifically only has the security changes in it. jer@gentoo.org 2007-12-24 14:55:22 0000 (In reply to comment #10) > Just to be clear I was asking for 1.8.6_p111 to be stabled So I told exactly which version I stabled. :) I can mark -r0 for you as well if you like... armin76@gentoo.org 2007-12-24 15:31:11 0000 alpha/ia64/sparc stable welp@gentoo.org 2007-12-26 09:05:09 0000 amd64 stable keytoaster@gentoo.org 2007-12-26 11:41:09 0000 All supported arches done, vote now. rbu@gentoo.org 2007-12-26 12:05:16 0000 Similar to the issue in bug 194236, voting NO. dercorny@gentoo.org 2007-12-26 21:57:18 0000 tend to say no py@gentoo.org 2007-12-28 23:37:52 0000 no too, closing.