Summary: | dev-lang/ruby <1.8.5_p113 and <1.8.6_p110-r1 Net::HTTPS library does not validate server certificate CN (CVE-2007-5162) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Rajiv Aaron Manglani (RETIRED) <rajiv> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.isecpartners.com/advisories/2007-006-rubyssl.txt | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Rajiv Aaron Manglani (RETIRED)
2007-09-30 00:35:21 UTC
the correct url for the ipsecpartners advisory is http://www.isecpartners.com/advisories/2007-006-rubyssl.txt Richard, you bumped Ruby to 1.8.5_p113 and 1.8.6_p110-r1 a week ago. Is 1.8.5_p113 ok to go stable? Can you remove non-stable vulnerable versions? Rbu, sorry, I also added an apparently entirely imaginary comment to this bug when I bumped them. x86 and amd64 are still on 1.8.5, they can either go to the latest 1.8.5 or 1.8.6, everyone else except mips is on 1.8.6. I haven't checked but I suspect 1.8.4 is also affected, so mips should probably stabilise a new vesrion as well. I've removed all the other versions I was wrong, mips is on 1.8.6-r1 as well. Arches please stabilise x86 stable *** Bug 181110 has been marked as a duplicate of this bug. *** ppc stable alpha/ia64/sparc stable Stable for HPPA. amd64 stable for ruby-1.8.6-r1.ebuild stable on ppc64: dev-lang/ruby-1.8.5_p113 dev-lang/ruby-1.8.6_p110-r1 If someone calls arches he should mention the versions, which should go stable. amd64, I think you marked the wrong version stable.. amd64 stable time for glsa decision. I tend to vote NO. I vote NO. very rare - i vote no too. Closing with noglsa. Feel free to reopen if you disagree. |