Launchpad.net

CVE 2007-5162

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

Related bugs and status

CVE-2007-5162 (Candidate) is related to these bugs:

Bug #149616: Net::HTTPS Vulnerability

		In	Importance	Status
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu Dapper)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu Dapper)	Undecided	Won't Fix
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu Edgy)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu Edgy)	Undecided	Won't Fix
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu Feisty)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu Feisty)	Undecided	Won't Fix
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu Gutsy)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu Gutsy)	Undecided	Won't Fix
149616	Net::HTTPS Vulnerability	ruby1.8 (Ubuntu Hardy)	Undecided	Fix Released
149616	Net::HTTPS Vulnerability	ruby1.9 (Ubuntu Hardy)	Undecided	Fix Released

Bug #165140: [ruby] multiple vulnerabilities

		In	Importance	Status
165140	[ruby] multiple vulnerabilities	ruby1.8 (Ubuntu)	Undecided	New
165140	[ruby] multiple vulnerabilities	ruby1.9 (Ubuntu)	Undecided	New
165140	[ruby] multiple vulnerabilities	libopenssl-ruby (Ubuntu)	Undecided	New

See the

CVE page on Mitre.org for more details.

References

MISC: http://www.isecpartner...
BID: 25847
SECUNIA: 26985
MISC: https://bugzilla.redha...
FEDORA: FEDORA-2007-2406
FEDORA: FEDORA-2007-718
SECUNIA: 27044
FEDORA: FEDORA-2007-2685
SECUNIA: 27432
REDHAT: RHSA-2007:0961
REDHAT: RHSA-2007:0965
SECUNIA: 27576
SECUNIA: 27673
SREASON: 3180
DEBIAN: DSA-1410
DEBIAN: DSA-1411
DEBIAN: DSA-1412
SUSE: SUSE-SR:2007:024
SECUNIA: 27764
SECUNIA: 27769
SECUNIA: 27818
SECUNIA: 27756
MANDRIVA: MDVSA-2008:029
SECUNIA: 28645
UBUNTU: USN-596-1
SECUNIA: 29556
VUPEN: ADV-2007-3340
CONFIRM: http://svn.ruby-lang.o...
CONFIRM: http://svn.ruby-lang.o...
CONFIRM: http://svn.ruby-lang.o...
CONFIRM: http://svn.ruby-lang.o...
XF: ruby-nethttps-mitm(36861)
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20070927 Ruby Net::HTT...
BUGTRAQ: 20071112 FLEA-2007-006...