Summary: | <dev-ruby/rubygems-1.8.24: Remote Repository SSL Certificate Verification Security Issue (CVE-2012-{2125,2126}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/48807/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 396305, 411507 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-04-21 09:56:51 UTC
(In reply to comment #0) > Solution > Update to version 1.9.3-p194. Probably not since we unbundle rubygems. We should upgrade to a newer rubygems version instead, 1.8.23 is mentioned in the ruby 1.9.3 release message. dev-ruby/rubygems-1.8.23 is now in the tree. We should test this version in the tree for at least a week before considering stabilization. Also, we need a newer jruby version stable first, see bug 396305. (In reply to comment #3) > We should test this version in the tree for at least a week before > considering stabilization. Also, we need a newer jruby version stable first, > see bug 396305. jruby 1.6.5.1 has been stabilized. Is =dev-ruby/rubygems-1.8.23 fixed and are we ready to stabilize it here now? Tnx. (In reply to comment #4) > (In reply to comment #3) > > We should test this version in the tree for at least a week before > > considering stabilization. Also, we need a newer jruby version stable first, > > see bug 396305. > > jruby 1.6.5.1 has been stabilized. Is =dev-ruby/rubygems-1.8.23 fixed and > are we ready to stabilize it here now? Tnx. rubygems 1.8.23 is fixed, so potentially it can be stabilized, but I want to coordinate this with stabilization of ruby 1.9. Also, rubygems 1.8.x was a big step compared to our previous stable version (e.g. obsoleting the gems.eclass ebuilds) so I wanted to stable a proven version first. I'll try to put together the stabilization bugs for this in the weekend. Hans, @ruby, a friendly ping on this. Shall we move forward with stabilization? I suspect bug 348901 may have fixed/tracked any blockers? And we'll target 1.8.24, right? Thanks much. (In reply to comment #6) > Hans, @ruby, a friendly ping on this. Shall we move forward with > stabilization? I suspect bug 348901 may have fixed/tracked any blockers? And > we'll target 1.8.24, right? Thanks much. I've just added arches to bug 411507 which asks for ruby 1.9 stabilization and includes rubygems 1.8.24. Thanks, everyone. GLSA vote: no. Thanks, folks. GLSA Vote: no too, closing noglsa. CVE-2012-2126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2126): RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. CVE-2012-2125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2125): RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. |