__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Ruby Security Update [Red Hat RHSA-2007:0965-3] November 13, 2007 19:00 GMT Number S-052 [REVISED 26 Nov 2007] ______________________________________________________________________________ PROBLEM: An SSL certificate validation flaw was discovered in several Ruby Net modules. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable) DAMAGE: Could allow a man in the middle attack. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The libraries were not checking the requested ASSESSMENT: host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-052.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0965.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1410 http://www.debian.org/security/2007/dsa-1411 http://www.debian.org/security/2007/dsa-1412 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5162 CVE-5007-5770 ______________________________________________________________________________ REVISION HISTORY: 11/26/2007 - revised S-052 to add links to Debian Security Advisories DSA-1401-1, DSA-1411-1, and DSA-1412-1 for Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable). [***** Start Red Hat RHSA-2007:0965-3 *****] Moderate: ruby security update Advisory: RHSA-2007:0965-3 Type: Security Advisory Severity: Moderate Issued on: 2007-11-13 Last updated on: 2007-11-13 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070965.xml CVEs (cve.mitre.org): CVE-2007-5162 CVE-2007-5770 Details Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Ruby is an interpreted scripting language for object-oriented programming. An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: ruby-devel-1.8.5-5.el5_1.1.i386.rpm fc9636a5d413c56797e35c13e19445c1 ruby-mode-1.8.5-5.el5_1.1.i386.rpm b71daf9336d1c3ddfd572dd6f42aac3a x86_64: ruby-devel-1.8.5-5.el5_1.1.i386.rpm fc9636a5d413c56797e35c13e19445c1 ruby-devel-1.8.5-5.el5_1.1.x86_64.rpm c9cfa969d4cff4ba305119184559d59f ruby-mode-1.8.5-5.el5_1.1.x86_64.rpm 42b2fdf9d6d85e4701938042d05da90e Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.5-5.el5_1.1.src.rpm bd2ba2ff48194091448b3c7c61fd218f IA-32: ruby-1.8.5-5.el5_1.1.i386.rpm 9a1214c0884a6e4cfa181a693dbf1905 ruby-devel-1.8.5-5.el5_1.1.i386.rpm fc9636a5d413c56797e35c13e19445c1 ruby-docs-1.8.5-5.el5_1.1.i386.rpm 3f99f3d8b23dbd04830d5b622d9acfbe ruby-irb-1.8.5-5.el5_1.1.i386.rpm fdafed93c351491808f3d787d2e1b967 ruby-libs-1.8.5-5.el5_1.1.i386.rpm 0d59f6f236006e26d2bdb13835adfbe5 ruby-mode-1.8.5-5.el5_1.1.i386.rpm b71daf9336d1c3ddfd572dd6f42aac3a ruby-rdoc-1.8.5-5.el5_1.1.i386.rpm 6a61484d511a539a6f5e51ab2f1b524d ruby-ri-1.8.5-5.el5_1.1.i386.rpm 8283e9c796c013c6fec91ebaf0686717 ruby-tcltk-1.8.5-5.el5_1.1.i386.rpm f57234b3f2b2e62c320cce79633517a2 IA-64: ruby-1.8.5-5.el5_1.1.ia64.rpm 833cb4e41f3ce360bffebe58dca7ffed ruby-devel-1.8.5-5.el5_1.1.ia64.rpm aa9fc9d56a73ddf69284e15178fd5335 ruby-docs-1.8.5-5.el5_1.1.ia64.rpm 5796d0d2c9bd06e7f15311ff7eb76f95 ruby-irb-1.8.5-5.el5_1.1.ia64.rpm 1cb804cb60fe8cd550d171d522566740 ruby-libs-1.8.5-5.el5_1.1.ia64.rpm 012d3122c4de5507f39eb43b339e8db3 ruby-mode-1.8.5-5.el5_1.1.ia64.rpm b54dd1219ac04bc945265c65f4a2e8a9 ruby-rdoc-1.8.5-5.el5_1.1.ia64.rpm b3e415994eb42d61e8d9783e40f586dd ruby-ri-1.8.5-5.el5_1.1.ia64.rpm 0668bbb175d3fc815ee7c709f1d67e8e ruby-tcltk-1.8.5-5.el5_1.1.ia64.rpm 03b3bbd6a20b5a570de2571259beb103 PPC: ruby-1.8.5-5.el5_1.1.ppc.rpm 8c799e6408b3c0af19cf7bebea3b0ec4 ruby-devel-1.8.5-5.el5_1.1.ppc.rpm c65c8ac0c44f5574b2d9e0c946bb1cc0 ruby-devel-1.8.5-5.el5_1.1.ppc64.rpm 216d5f434ca5b590361445655cf35546 ruby-docs-1.8.5-5.el5_1.1.ppc.rpm e7cf922d26f18c948840f2250491b432 ruby-irb-1.8.5-5.el5_1.1.ppc.rpm 6b8ddefd1936ee7eb6f529ffd45f0f56 ruby-libs-1.8.5-5.el5_1.1.ppc.rpm 9bd06a79a8d2144ca0425f64ee5bc052 ruby-libs-1.8.5-5.el5_1.1.ppc64.rpm f68509b3bec796e6e35890101422979c ruby-mode-1.8.5-5.el5_1.1.ppc.rpm cc042ce28dbd9cfca6686b05488cccd2 ruby-rdoc-1.8.5-5.el5_1.1.ppc.rpm 9f52495edcf1c7241d971a772ec9864b ruby-ri-1.8.5-5.el5_1.1.ppc.rpm d4ef2eb938ad8e500c312f5a0112bc17 ruby-tcltk-1.8.5-5.el5_1.1.ppc.rpm 9b94203c995d9825ea9522d47d2c93b9 s390x: ruby-1.8.5-5.el5_1.1.s390x.rpm 466dbec52fbb1b426a05562d4223f1b5 ruby-devel-1.8.5-5.el5_1.1.s390.rpm 112e2222450789fda4d4aa3ee866f1c0 ruby-devel-1.8.5-5.el5_1.1.s390x.rpm 5cf92a394b87428a0fa8dd3b4e4cb1b1 ruby-docs-1.8.5-5.el5_1.1.s390x.rpm f8cb187ff5e57e17a7ad9a956b04dbf3 ruby-irb-1.8.5-5.el5_1.1.s390x.rpm aee78c767a2c33a31927258d90e07cf9 ruby-libs-1.8.5-5.el5_1.1.s390.rpm 9f539c988f1672d7b7534faf15c889d6 ruby-libs-1.8.5-5.el5_1.1.s390x.rpm cfa7ff37d59ffa463d96c1865b6cd7b0 ruby-mode-1.8.5-5.el5_1.1.s390x.rpm 80f07b5abe18be100c69925551695c75 ruby-rdoc-1.8.5-5.el5_1.1.s390x.rpm 2b1f9972403c4793cd97ef783ba052b7 ruby-ri-1.8.5-5.el5_1.1.s390x.rpm 2d551ece5c839f9b241118a140dbbe02 ruby-tcltk-1.8.5-5.el5_1.1.s390x.rpm 558d87b587fc059bb648a620e91d9506 x86_64: ruby-1.8.5-5.el5_1.1.x86_64.rpm 1727a1e7a24dffd9bcbaf14dd5885e09 ruby-devel-1.8.5-5.el5_1.1.i386.rpm fc9636a5d413c56797e35c13e19445c1 ruby-devel-1.8.5-5.el5_1.1.x86_64.rpm c9cfa969d4cff4ba305119184559d59f ruby-docs-1.8.5-5.el5_1.1.x86_64.rpm b20add781113d1a6c62da9eb4ae5322e ruby-irb-1.8.5-5.el5_1.1.x86_64.rpm 9860b5dcaff839ceac92ad3473474138 ruby-libs-1.8.5-5.el5_1.1.i386.rpm 0d59f6f236006e26d2bdb13835adfbe5 ruby-libs-1.8.5-5.el5_1.1.x86_64.rpm 7cdaed976249c0f131f545adc6d34a19 ruby-mode-1.8.5-5.el5_1.1.x86_64.rpm 42b2fdf9d6d85e4701938042d05da90e ruby-rdoc-1.8.5-5.el5_1.1.x86_64.rpm b9daa1cda45b5c9eb7977162d32932f8 ruby-ri-1.8.5-5.el5_1.1.x86_64.rpm 7a97f1f171c16e36bd85abbbadab358b ruby-tcltk-1.8.5-5.el5_1.1.x86_64.rpm 9e1e70b9dd97366bd2d46a3bd87da52d Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: ruby-1.8.5-5.el5_1.1.src.rpm bd2ba2ff48194091448b3c7c61fd218f IA-32: ruby-1.8.5-5.el5_1.1.i386.rpm 9a1214c0884a6e4cfa181a693dbf1905 ruby-docs-1.8.5-5.el5_1.1.i386.rpm 3f99f3d8b23dbd04830d5b622d9acfbe ruby-irb-1.8.5-5.el5_1.1.i386.rpm fdafed93c351491808f3d787d2e1b967 ruby-libs-1.8.5-5.el5_1.1.i386.rpm 0d59f6f236006e26d2bdb13835adfbe5 ruby-rdoc-1.8.5-5.el5_1.1.i386.rpm 6a61484d511a539a6f5e51ab2f1b524d ruby-ri-1.8.5-5.el5_1.1.i386.rpm 8283e9c796c013c6fec91ebaf0686717 ruby-tcltk-1.8.5-5.el5_1.1.i386.rpm f57234b3f2b2e62c320cce79633517a2 x86_64: ruby-1.8.5-5.el5_1.1.x86_64.rpm 1727a1e7a24dffd9bcbaf14dd5885e09 ruby-docs-1.8.5-5.el5_1.1.x86_64.rpm b20add781113d1a6c62da9eb4ae5322e ruby-irb-1.8.5-5.el5_1.1.x86_64.rpm 9860b5dcaff839ceac92ad3473474138 ruby-libs-1.8.5-5.el5_1.1.i386.rpm 0d59f6f236006e26d2bdb13835adfbe5 ruby-libs-1.8.5-5.el5_1.1.x86_64.rpm 7cdaed976249c0f131f545adc6d34a19 ruby-rdoc-1.8.5-5.el5_1.1.x86_64.rpm b9daa1cda45b5c9eb7977162d32932f8 ruby-ri-1.8.5-5.el5_1.1.x86_64.rpm 7a97f1f171c16e36bd85abbbadab358b ruby-tcltk-1.8.5-5.el5_1.1.x86_64.rpm 9e1e70b9dd97366bd2d46a3bd87da52d (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 313691 - CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate 362081 - CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0965-3 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-042: CoolKey Security and Bug Fix Update S-043: OpenSSH Security and Bug Fix Update S-044: Apple QuickTime 7.3 Security Update S-045: OpenLDAP Security and Enhancement Update S-046: TeTeX Security Update S-047: Guidance EnCase Vulnerability S-048: phpMyAdmin Vulnerability S-049: Mozilla Firefox Vulnerability S-050: Horde3 Vulnerabilities S-051: Perl-Compatible Regular Expression (PCRE) Security Update