CVE-2007-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5770): The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.
Ruby, can you confirm that these modules were fixed in the update in bug 194236 or do they need additional patching?
ruby, please advise.
(In reply to comment #2) > ruby, please advise. > *ping*
Sorry for the delay. Richard has been working on this but he has not been online for several weeks now, and I don't know much about this. Judging from the redhat report this issue is similar to bug 194236 but for the other services using SSL. So: more patching is needed. Redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=362081 seems to be the patch required.
The patch linked is against ruby trunk, not the 1.8 branch, I've sent an email to ruby-core to see what they say. Sorry for the delay.
I've added =dev-lang/ruby-1.8.6_p111. Arches please stabilise.
x86 stable
ppc and ppc64 done
dev-lang/ruby-1.8.6_p111-r1 marked stable for HPPA.
Just to be clear I was asking for 1.8.6_p111 to be stabled, not 1.8.6_p111-r1. Jer, I've added hppa back so you see this, but I don't think the world is going to end, -r1 has some more bugfixes from upstream and the ebuild has been reworked a little, but should still be basically fine. -r0 specifically only has the security changes in it.
(In reply to comment #10) > Just to be clear I was asking for 1.8.6_p111 to be stabled So I told exactly which version I stabled. :) I can mark -r0 for you as well if you like...
alpha/ia64/sparc stable
amd64 stable
All supported arches done, vote now.
Similar to the issue in bug 194236, voting NO.
tend to say no
no too, closing.
