Public bug reported: Binary package hint: ruby1.8
A vulnerability on the net/https library was reported. Detailed information should be found at the original advisory: <URL:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt> Impact The vulnerability exists in the connect method within http.rb file which fails to call post_connection_check after the SSL connection has been negotiated. Since the server certificate's CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are thereby eliminated. Vulnerable versions 1.8 series * 1.8.4 and all prior versions * 1.8.5-p113 and all prior versions * 1.8.6-p110 and all prior versions Development version (1.9 series) All versions before 2006-09-23 Solution 1.8 series Please upgrade to 1.8.6-p111 or 1.8.5-p114. * <URL:http://ftp.ruby- lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz> * <URL:http://ftp.ruby- lang.org/pub/ruby/1.8/ruby-1.8.5-p114.tar.gz> Please note that a package that corrects this weakness may already be available through your package management software. Development version (1.9 series) Please update your Ruby to a version after 2006-09-23. ** Affects: ruby1.8 (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- Net::HTTPS Vulnerability https://bugs.launchpad.net/bugs/149616 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
