From ${URL} : Ruby OpenSSL hostname matching implementation violates RFC 6125. - Wildcard matching code allowed multiple wildcards (e.g. *.*.*) - Wildcards were mishandled for IDNA names (ala CVE-2014-1492) Upstream patch: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596 Acknowledgements: Red Hat would like to thank the Ruby upstream for reporting this issue. Upstream acknowledges Tony Arcieri as the original reporter. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The ruby team will wait for new upstream releases for this.
ruby-2.0.0_p645, ruby-2.1.6, and ruby-2.2.2 are now in the gentoo tree. These are the upstream releases where this bug is fixed. The openssl patch has also been backported to ruby-1.9.3_p551-r1. Since ruby 1.9 and ruby 2.0 only contain this security fix we can move to stablization right away: =dev-lang/ruby-1.9.3_p551-r1 =dev-lang/ruby-2.0.0_p645
amd64 stable
x86 stable
Stable for HPPA.
Stable for PPC64.
ppc stable
alpha stable
ia64 stable
sparc stable
arm stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions have been removed.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
NO too, closing.