Bug 199191 - dev-lang/ruby < 1.8.6_p111 SSL commonName (CN) verficiation in Net::ftptls, telnets, imap, pop, smtp (CVE-2007-5770)
Bug#: 199191 (CVE-2007-5770) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
Summary: dev-lang/ruby < 1.8.6_p111 SSL commonName (CN) verficiation in Net::ftptls, telnets, imap, pop, smtp (CVE-2007-5770)
Keywords:  
Status Whiteboard: B4 [noglsa]
Opened: 2007-11-14 23:17 0000
Description:   Opened: 2007-11-14 23:17 0000 
CVE-2007-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5770):
  The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5)
  Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName
  (CN) field in a server certificate matches the domain name in a request sent
  over SSL, which makes it easier for remote attackers to intercept SSL
  transmissions via a man-in-the-middle attack or spoofed web site, different
  components than CVE-2007-5162.

------- Comment #1 From Robert Buchholz 2007-11-14 23:19:18 0000 ------- 
Ruby, can you confirm that these modules were fixed in the update in bug 194236
or do they need additional patching?

------- Comment #2 From Robert Buchholz 2007-11-20 00:48:45 0000 ------- 
ruby, please advise.

------- Comment #3 From Pierre-Yves Rofes 2007-12-08 23:54:07 0000 ------- 
(In reply to comment #2)
> ruby, please advise.
> 

*ping*

------- Comment #4 From Hans de Graaff 2007-12-09 09:59:36 0000 ------- 
Sorry for the delay. Richard has been working on this but he has not been
online for several weeks now, and I don't know much about this.

Judging from the redhat report this issue is similar to bug 194236 but for the
other services using SSL. So: more patching is needed. Redhat bug
https://bugzilla.redhat.com/show_bug.cgi?id=362081 seems to be the patch
required.

------- Comment #5 From Richard Brown (RETIRED) 2007-12-09 17:43:19 0000 ------- 
The patch linked is against ruby trunk, not the 1.8 branch, I've sent an email
to ruby-core to see what they say. Sorry for the delay.

------- Comment #6 From Richard Brown (RETIRED) 2007-12-23 10:45:03 0000 ------- 
I've added =dev-lang/ruby-1.8.6_p111. Arches please stabilise.

------- Comment #7 From Markus Meier 2007-12-23 13:46:27 0000 ------- 
x86 stable

------- Comment #8 From Brent Baude 2007-12-23 17:16:11 0000 ------- 
ppc and ppc64 done

------- Comment #9 From Jeroen Roovers 2007-12-24 02:39:00 0000 ------- 
dev-lang/ruby-1.8.6_p111-r1 marked stable for HPPA.

------- Comment #10 From Richard Brown (RETIRED) 2007-12-24 08:36:11 0000 ------- 
Just to be clear I was asking for 1.8.6_p111 to be stabled, not 1.8.6_p111-r1.
Jer, I've added hppa back so you see this, but I don't think the world is going
to end, -r1 has some more bugfixes from upstream and the ebuild has been
reworked a little, but should still be basically fine. -r0 specifically only
has the security changes in it.

------- Comment #11 From Jeroen Roovers 2007-12-24 14:55:22 0000 ------- 
(In reply to comment #10)
> Just to be clear I was asking for 1.8.6_p111 to be stabled

So I told exactly which version I stabled. :)
I can mark -r0 for you as well if you like...

------- Comment #12 From Raúl Porcel 2007-12-24 15:31:11 0000 ------- 
alpha/ia64/sparc stable

------- Comment #13 From Peter Weller 2007-12-26 09:05:09 0000 ------- 
amd64 stable

------- Comment #14 From Tobias Heinlein 2007-12-26 11:41:09 0000 ------- 
All supported arches done, vote now.

------- Comment #15 From Robert Buchholz 2007-12-26 12:05:16 0000 ------- 
Similar to the issue in bug 194236, voting NO.

------- Comment #16 From Stefan Cornelius (RETIRED) 2007-12-26 21:57:18 0000 ------- 
tend to say no

------- Comment #17 From Pierre-Yves Rofes 2007-12-28 23:37:52 0000 ------- 
no too, closing.