Summary: | dev-lang/ruby < 1.8.6_p111 SSL commonName (CN) verficiation in Net::ftptls, telnets, imap, pop, smtp (CVE-2007-5770) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-11-14 23:17:06 UTC
Ruby, can you confirm that these modules were fixed in the update in bug 194236 or do they need additional patching? ruby, please advise. (In reply to comment #2) > ruby, please advise. > *ping* Sorry for the delay. Richard has been working on this but he has not been online for several weeks now, and I don't know much about this. Judging from the redhat report this issue is similar to bug 194236 but for the other services using SSL. So: more patching is needed. Redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=362081 seems to be the patch required. The patch linked is against ruby trunk, not the 1.8 branch, I've sent an email to ruby-core to see what they say. Sorry for the delay. I've added =dev-lang/ruby-1.8.6_p111. Arches please stabilise. x86 stable ppc and ppc64 done dev-lang/ruby-1.8.6_p111-r1 marked stable for HPPA. Just to be clear I was asking for 1.8.6_p111 to be stabled, not 1.8.6_p111-r1. Jer, I've added hppa back so you see this, but I don't think the world is going to end, -r1 has some more bugfixes from upstream and the ebuild has been reworked a little, but should still be basically fine. -r0 specifically only has the security changes in it. (In reply to comment #10) > Just to be clear I was asking for 1.8.6_p111 to be stabled So I told exactly which version I stabled. :) I can mark -r0 for you as well if you like... alpha/ia64/sparc stable amd64 stable All supported arches done, vote now. Similar to the issue in bug 194236, voting NO. tend to say no no too, closing. |