Executive Summary
Summary | |
---|---|
Title | ruby security update |
Informations | |||
---|---|---|---|
Name | RHSA-2007:0961 | First vendor Publication | 2007-11-13 |
Vendor | RedHat | Last vendor Modification | 2007-11-13 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: Ruby is an interpreted scripting language for object-oriented programming. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. If a remote attacker sends a specially crafted request, it is possible to cause the ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 218287 - CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS 313691 - CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate 362081 - CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2007-0961.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-287 | Improper Authentication |
33 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10529 | |||
Oval ID: | oval:org.mitre.oval:def:10529 | ||
Title: | The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. | ||
Description: | The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-6303 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10738 | |||
Oval ID: | oval:org.mitre.oval:def:10738 | ||
Title: | The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. | ||
Description: | The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5162 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11025 | |||
Oval ID: | oval:org.mitre.oval:def:11025 | ||
Title: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Description: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5770 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17689 | |||
Oval ID: | oval:org.mitre.oval:def:17689 | ||
Title: | USN-596-1 -- ruby1.8 vulnerabilities | ||
Description: | Chris Clark discovered that Ruby's HTTPS module did not check for commonName mismatches early enough during SSL negotiation. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-596-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | ruby1.8 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18414 | |||
Oval ID: | oval:org.mitre.oval:def:18414 | ||
Title: | DSA-1410-1 ruby1.8 - possible man-in-the-middle attacks | ||
Description: | Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1410-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | ruby1.8 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18657 | |||
Oval ID: | oval:org.mitre.oval:def:18657 | ||
Title: | DSA-1412-1 ruby1.9 - possible man-in-the-middle attacks | ||
Description: | Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1412-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | ruby1.9 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21946 | |||
Oval ID: | oval:org.mitre.oval:def:21946 | ||
Title: | ELSA-2007:0965: ruby security update (Moderate) | ||
Description: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0965-01 CVE-2007-5162 CVE-2007-5770 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X Security Update 2007-009 File : nvt/macosx_secupd_2007-009.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-10 | Name : SLES9: Security update for ruby File : nvt/sles9p5009168.nasl |
2009-04-09 | Name : Mandriva Update for ruby MDVSA-2008:029 (ruby) File : nvt/gb_mandriva_MDVSA_2008_029.nasl |
2009-03-23 | Name : Ubuntu Update for ruby1.8 vulnerabilities USN-596-1 File : nvt/gb_ubuntu_USN_596_1.nasl |
2009-03-06 | Name : RedHat Update for ruby RHSA-2008:0562-01 File : nvt/gb_RHSA-2008_0562-01_ruby.nasl |
2009-02-27 | Name : CentOS Update for irb CESA-2008:0562 centos3 x86_64 File : nvt/gb_CESA-2008_0562_irb_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for ruby CESA-2008:0562-01 centos2 i386 File : nvt/gb_CESA-2008_0562-01_ruby_centos2_i386.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-738 File : nvt/gb_fedora_2007_738_ruby_fc6.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-718 File : nvt/gb_fedora_2007_718_ruby_fc6.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2812 File : nvt/gb_fedora_2007_2812_ruby_fc8.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2685 File : nvt/gb_fedora_2007_2685_ruby_fc7.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2406 File : nvt/gb_fedora_2007_2406_ruby_fc7.nasl |
2009-02-27 | Name : CentOS Update for irb CESA-2008:0562 centos3 i386 File : nvt/gb_CESA-2008_0562_irb_centos3_i386.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-5649 File : nvt/gb_fedora_2008_5649_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-5664 File : nvt/gb_fedora_2008_5664_ruby_fc9.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-6033 File : nvt/gb_fedora_2008_6033_ruby_fc9.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-6094 File : nvt/gb_fedora_2008_6094_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-8736 File : nvt/gb_fedora_2008_8736_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-8738 File : nvt/gb_fedora_2008_8738_ruby_fc9.nasl |
2009-02-16 | Name : Fedora Update for ruby FEDORA-2008-2458 File : nvt/gb_fedora_2008_2458_ruby_fc7.nasl |
2009-02-16 | Name : Fedora Update for ruby FEDORA-2008-2443 File : nvt/gb_fedora_2008_2443_ruby_fc8.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200612-21 (ruby) File : nvt/glsa_200612_21.nasl |
2008-09-04 | Name : FreeBSD Ports: ruby File : nvt/freebsd_ruby5.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1410-1 (ruby1.8) File : nvt/deb_1410_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1411-1 (libopenssl-ruby) File : nvt/deb_1411_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
40773 | Ruby Multiple Net Modules Certificate commonName (CN) Field Verification Weak... |
34238 | Ruby cgi.rb read_multipart Function Crafted HTTP Request DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0562.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080714_ruby_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071113_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_11442.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-029.nasl - Type : ACT_GATHER_INFO |
2008-07-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0562.nasl - Type : ACT_GATHER_INFO |
2008-07-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0562.nasl - Type : ACT_GATHER_INFO |
2008-07-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-6094.nasl - Type : ACT_GATHER_INFO |
2008-07-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-6033.nasl - Type : ACT_GATHER_INFO |
2008-06-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5649.nasl - Type : ACT_GATHER_INFO |
2008-06-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5664.nasl - Type : ACT_GATHER_INFO |
2008-03-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-596-1.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2443.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2458.nasl - Type : ACT_GATHER_INFO |
2007-12-18 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-4702.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-2654.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1410.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote openSUSE host is missing a security update. File : suse_ruby-4703.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1411.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1412.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0965.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-394-1.nasl - Type : ACT_GATHER_INFO |
2007-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2812.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2685.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2406.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-738.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_ruby-2655.nasl - Type : ACT_GATHER_INFO |
2007-10-09 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-718.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2007-005.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-225.nasl - Type : ACT_GATHER_INFO |
2006-12-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200612-21.nasl - Type : ACT_GATHER_INFO |
2006-12-06 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_a8674c1483d711db88d50012f06707f0.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-04-26 18:08:17 |
|
2014-02-17 11:51:05 |
|
2013-05-11 12:24:10 |
|