Executive Summary
Summary | |
---|---|
Title | ruby security update |
Informations | |||
---|---|---|---|
Name | RHSA-2007:0965 | First vendor Publication | 2007-11-13 |
Vendor | RedHat | Last vendor Modification | 2007-11-13 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: Ruby is an interpreted scripting language for object-oriented programming. An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 313691 - CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate 362081 - CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2007-0965.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10738 | |||
Oval ID: | oval:org.mitre.oval:def:10738 | ||
Title: | The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. | ||
Description: | The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5162 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11025 | |||
Oval ID: | oval:org.mitre.oval:def:11025 | ||
Title: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Description: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5770 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17689 | |||
Oval ID: | oval:org.mitre.oval:def:17689 | ||
Title: | USN-596-1 -- ruby1.8 vulnerabilities | ||
Description: | Chris Clark discovered that Ruby's HTTPS module did not check for commonName mismatches early enough during SSL negotiation. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-596-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | ruby1.8 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18414 | |||
Oval ID: | oval:org.mitre.oval:def:18414 | ||
Title: | DSA-1410-1 ruby1.8 - possible man-in-the-middle attacks | ||
Description: | Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1410-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | ruby1.8 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18657 | |||
Oval ID: | oval:org.mitre.oval:def:18657 | ||
Title: | DSA-1412-1 ruby1.9 - possible man-in-the-middle attacks | ||
Description: | Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1412-1 CVE-2007-5162 CVE-2007-5770 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | ruby1.9 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21946 | |||
Oval ID: | oval:org.mitre.oval:def:21946 | ||
Title: | ELSA-2007:0965: ruby security update (Moderate) | ||
Description: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0965-01 CVE-2007-5162 CVE-2007-5770 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | ruby |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X Security Update 2007-009 File : nvt/macosx_secupd_2007-009.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-04-09 | Name : Mandriva Update for ruby MDVSA-2008:029 (ruby) File : nvt/gb_mandriva_MDVSA_2008_029.nasl |
2009-03-23 | Name : Ubuntu Update for ruby1.8 vulnerabilities USN-596-1 File : nvt/gb_ubuntu_USN_596_1.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2406 File : nvt/gb_fedora_2007_2406_ruby_fc7.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2685 File : nvt/gb_fedora_2007_2685_ruby_fc7.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-2812 File : nvt/gb_fedora_2007_2812_ruby_fc8.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-718 File : nvt/gb_fedora_2007_718_ruby_fc6.nasl |
2009-02-27 | Name : Fedora Update for ruby FEDORA-2007-738 File : nvt/gb_fedora_2007_738_ruby_fc6.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-5649 File : nvt/gb_fedora_2008_5649_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-8738 File : nvt/gb_fedora_2008_8738_ruby_fc9.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-8736 File : nvt/gb_fedora_2008_8736_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-6094 File : nvt/gb_fedora_2008_6094_ruby_fc8.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-6033 File : nvt/gb_fedora_2008_6033_ruby_fc9.nasl |
2009-02-17 | Name : Fedora Update for ruby FEDORA-2008-5664 File : nvt/gb_fedora_2008_5664_ruby_fc9.nasl |
2009-02-16 | Name : Fedora Update for ruby FEDORA-2008-2458 File : nvt/gb_fedora_2008_2458_ruby_fc7.nasl |
2009-02-16 | Name : Fedora Update for ruby FEDORA-2008-2443 File : nvt/gb_fedora_2008_2443_ruby_fc8.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1410-1 (ruby1.8) File : nvt/deb_1410_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1411-1 (libopenssl-ruby) File : nvt/deb_1411_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
40773 | Ruby Multiple Net Modules Certificate commonName (CN) Field Verification Weak... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071113_ruby_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-029.nasl - Type : ACT_GATHER_INFO |
2008-07-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-6094.nasl - Type : ACT_GATHER_INFO |
2008-07-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-6033.nasl - Type : ACT_GATHER_INFO |
2008-06-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5664.nasl - Type : ACT_GATHER_INFO |
2008-06-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5649.nasl - Type : ACT_GATHER_INFO |
2008-03-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-596-1.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2443.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2458.nasl - Type : ACT_GATHER_INFO |
2007-12-18 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_ruby-4702.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1412.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1411.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote openSUSE host is missing a security update. File : suse_ruby-4703.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1410.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0961.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0965.nasl - Type : ACT_GATHER_INFO |
2007-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2812.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-738.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2685.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2406.nasl - Type : ACT_GATHER_INFO |
2007-10-09 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-718.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:51:06 |
|