Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:201 | First vendor Publication | 2013-07-26 |
Vendor | Mandriva | Last vendor Modification | 2013-07-26 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability has been discovered and corrected in ruby: A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts (CVE-2013-4073). The updated packages have been patched to correct this issue. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:201 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18009 | |||
Oval ID: | oval:org.mitre.oval:def:18009 | ||
Title: | USN-1902-1 -- ruby1.8, ruby1.9.1 vulnerability | ||
Description: | An attacker could trick Ruby into trusting a rogue server. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1902-1 CVE-2013-4073 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | ruby1.8 ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18691 | |||
Oval ID: | oval:org.mitre.oval:def:18691 | ||
Title: | DSA-2738-1 ruby1.9.1 - several | ||
Description: | Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2738-1 CVE-2013-1821 CVE-2013-4073 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | ruby1.9.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21171 | |||
Oval ID: | oval:org.mitre.oval:def:21171 | ||
Title: | RHSA-2013:1090: ruby security update (Moderate) | ||
Description: | The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1090-00 CESA-2013:1090 CVE-2013-4073 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25425 | |||
Oval ID: | oval:org.mitre.oval:def:25425 | ||
Title: | SUSE-SU-2014:0337-1 -- Security update for python | ||
Description: | This update for Python fixes the following security issues: * bnc#834601: SSL module does not handle certificates that contain hostnames with NULL bytes. (CVE-2013-4238) * bnc#856836: Various stdlib read flaws. (CVE-2013-1752) Additionally, the following non-security issues have been fixed: * bnc#859068: Turn off OpenSSL's aggressive optimizations that conflict with Python's GC. * bnc#847135: Setting fips=1 at boot time causes problems with Python due to MD5 usage. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0337-1 CVE-2013-4238 CVE-2013-1752 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25752 | |||
Oval ID: | oval:org.mitre.oval:def:25752 | ||
Title: | SUSE-SU-2013:1260-3 -- Security update for ruby | ||
Description: | Ruby failed to check hostnames correctly when setting up a SSL client connection. CVE-2013-4073 was assigned to this issue. Security Issue reference: * CVE-2013-4073 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1260-3 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | ruby |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25855 | |||
Oval ID: | oval:org.mitre.oval:def:25855 | ||
Title: | SUSE-SU-2013:1260-2 -- Security update for ruby | ||
Description: | Ruby failed to check hostnames correctly when setting up a SSL client connection. CVE-2013-4073 was assigned to this issue. Security Issues: * CVE-2013-4073 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1260-2 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 10 | Product(s): | ruby |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26038 | |||
Oval ID: | oval:org.mitre.oval:def:26038 | ||
Title: | SUSE-SU-2014:0843-1 -- Security update for ruby | ||
Description: | Ruby received an LTSS roll-up update to fix the following security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0843-1 CVE-2013-1821 CVE-2013-4164 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | ruby |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26239 | |||
Oval ID: | oval:org.mitre.oval:def:26239 | ||
Title: | SUSE-SU-2014:0844-1 -- Security update for ruby | ||
Description: | Ruby received an LTSS roll-up update to fix the following security issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0844-1 CVE-2012-4481 CVE-2013-1821 CVE-2013-4164 CVE-2013-4073 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | ruby |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-02-27 | IAVM : 2014-A-0030 - Apple Mac OS X Security Update 2014-001 Severity : Category I - VMSKEY : V0044547 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_ruby_20130924.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-575.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-572.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-201402-140224.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2014-001.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote host is missing a Mac OS X update that fixes a certificate validat... File : macosx_10_9_2.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote web server uses a version of PHP that is potentially affected by m... File : php_5_3_28.nasl - Type : ACT_GATHER_INFO |
2013-12-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2809.nasl - Type : ACT_GATHER_INFO |
2013-10-28 | Name : A web application on the remote host has multiple vulnerabilities. File : puppet_enterprise_301.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_9.nasl - Type : ACT_GATHER_INFO |
2013-08-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2738.nasl - Type : ACT_GATHER_INFO |
2013-07-31 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ruby-130708.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-8639.nasl - Type : ACT_GATHER_INFO |
2013-07-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-201.nasl - Type : ACT_GATHER_INFO |
2013-07-19 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130717_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-07-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1090.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12663.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ebd877b97ef44375b1fdc67780581898.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12123.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-12062.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1902-1.nasl - Type : ACT_GATHER_INFO |
2013-06-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-178-01.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:43:54 |
|
2013-08-20 17:26:19 |
|
2013-07-26 17:19:31 |
|