Ruby SSL Certificate Attribute Verification Bugs Let Remote Users Conduct Man-in-the-Middle Attacks
|
|
SecurityTracker Alert ID: 1018938 |
|
SecurityTracker URL: http://securitytracker.com/id/1018938
|
|
CVE Reference:
CVE-2007-5162, CVE-2007-5770
(Links to External Site)
|
Date: Nov 13 2007
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.8, 1.9
|
Description:
Several vulnerabilities were reported in Ruby in the verification of SSL certificate attributes. A remote user may be able to conduct man-in-the-middle attacks.
Several ruby net::* modules do not properly verify the commonName (CN) attribute of SSL certificate provided by remote server against the requested hostname.
The net::http(s) module is affected [CVE-2007-5162].
The net::ftptls, net::telnets, and net::imap modules and the CVS versions of net::pop and net::smtp are also affected [CVE-2007-5770].
iSEC Partners reported the net::http(s) vulnerability.
The original advisory is available at:
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
|
Impact:
A remote user may be able to conduct man-in-the-middle attacks against encrypted sessions.
|
Solution:
The vendor has issued fixed versions for CVE-2007-5162 (1.8.6-p111 or 1.8.5-p114).
A source code fix for CVE-2007-5770 is available at:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
|
Vendor URL: www.ruby-lang.org/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 13 Nov 2007 08:24:01 -0500
Subject: Ruby
|
CVE-2007-5162
CVE-2007-5770
|
|
