Summary: | <dev-ruby/rubygems-{2.2.5,2.4.8}: DNS request hijacking (CVE-2015-3900) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/06/26/2 | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-06-26 09:20:32 UTC
Fixed rubygems versions are already in the tree and can be marked stable. =dev-ruby/rubygems-2.2.5 Stable for PPC64. Arches, please test and mark stable: =dev-ruby/rubygems-2.2.5 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you! CVE-2015-3900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3900): RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." amd64 stable x86 stable arm stable Stable for HPPA. alpha stable ppc stable sparc stable Version - 2.2.5-r1 already stabilized, which supersedes this. Security Please Vote. First GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Vulnerable versions removed. ia64 stable. Maintainer(s), please cleanup. Security, please vote. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No (In reply to Yury German from comment #15) > Arches and Maintainer(s), Thank you for your work. > > GLSA Vote: No GLSA Vote: No |