Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546042 (CVE-2015-1855) - <dev-lang/ruby{1.9.3_p551-r1,2.0.0_p645}: OpenSSL extension hostname matching implementation violates RFC 6125 (CVE-2015-1855)
Summary: <dev-lang/ruby{1.9.3_p551-r1,2.0.0_p645}: OpenSSL extension hostname matching...
Status: RESOLVED FIXED
Alias: CVE-2015-1855
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-09 09:57 UTC by Agostino Sarubbo
Modified: 2015-07-16 14:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-09 09:57:46 UTC
From ${URL} :

Ruby OpenSSL hostname matching implementation violates RFC 6125.

- Wildcard matching code allowed multiple wildcards (e.g. *.*.*)
- Wildcards were mishandled for IDNA names (ala CVE-2014-1492)

Upstream patch: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596

Acknowledgements:

Red Hat would like to thank the Ruby upstream for reporting this issue. Upstream acknowledges Tony 
Arcieri as the original reporter.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2015-04-13 18:07:07 UTC
The ruby team will wait for new upstream releases for this.
Comment 2 Hans de Graaff gentoo-dev Security 2015-04-14 05:43:07 UTC
ruby-2.0.0_p645, ruby-2.1.6, and ruby-2.2.2 are now in the gentoo tree. These are the upstream releases where this bug is fixed. The openssl patch has also been backported to ruby-1.9.3_p551-r1. Since ruby 1.9 and ruby 2.0 only contain this security fix we can move to stablization right away:

=dev-lang/ruby-1.9.3_p551-r1
=dev-lang/ruby-2.0.0_p645
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-14 07:20:31 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-14 07:20:47 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-15 04:17:56 UTC
Stable for HPPA.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-22 17:20:55 UTC
Stable for PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-04-27 09:05:23 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:09 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-04-28 07:46:56 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-29 09:20:21 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-05-27 13:06:13 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Hans de Graaff gentoo-dev Security 2015-05-27 19:18:49 UTC
Vulnerable versions have been removed.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 18:43:56 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:31:32 UTC
NO too, closing.