Summary: | <dev-lang/ruby-{1.8.7_p374,1.9.3_p448} : hostname check bypassing vulnerability in SSL client (CVE-2013-4073) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=979251 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-06-28 08:16:29 UTC
Fixed versions are now in the tree. The additional changes don't look very invasive, so let's continue with stabling right away: =dev-lang/ruby-1.8.7_p374 =dev-lang/ruby-1.9.3_p448 amd64 stable x86 stable arm stable ppc stable Stable for HPPA. ppc64 stable alpha stable ia64 stable sh stable sparc stable s390 stable GLSA vote: no. CVE-2013-4073 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4073): The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. GLSA vote: no Closing as noglsa |