正文

Ruby Net::HTTP库不安全验证服务器证书CN漏洞

admin
admin V管理员 /0 评论 /9 阅读
0104
此篇文章发布距今已超过1226天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Ruby Net::HTTP库不安全验证服务器证书CN漏洞

  • CNNVD编号:CNNVD-200710-022
    • <!--
  • 危害等级: 中危-->
  • 危害等级: 中危
  • CVE编号: CVE-2007-5162
  • 漏洞类型: 授权问题
  • 发布时间: 2007-09-28
  • 威胁类型: 远程
  • 更新时间: 2007-10-02
  • 厂        商: ruby-lang
  • 漏洞来源: Chris Clark※ cclar...

漏洞简介

Ruby是一种功能强大的面向对象的脚本语言。

Ruby的Net::HTTPS库的实现上存在漏洞,攻击者可能利用此漏洞获取会话中的敏感信息。

Ruby的Net::HTTPS库没有对用户所请求的DNS名称验证SSL证书名称,在协商SSL连接后http.rb文件中的connect方式没有调用post_connection_check。由于没有对所请求的DNS名称验证服务器证书CN,攻击者就可以扮演成为SSL连接中的目标服务器,破坏SSL连接的保密性和完整性。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

Debian已经为此发布了一个安全公告(DSA-1410-1)以及相应补丁:

DSA-1410-1:New ruby1.8 packages fix insecure SSL certificate

链接:

http://www.debian.org/security/2007/dsa-1410

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6.diff.gz

Size/MD5 checksum: 538242 39599e76e17e8b5cc1ec766b71593d9f

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6.dsc

Size/MD5 checksum: 1024 b1798609dcf45a62e1d9afc4fe93bfff

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2.orig.tar.gz

Size/MD5 checksum:3623780 4bc5254bec262d18cf1ceef03aae8bdf

Architecture independent packages:

http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.2-7sarge6_all.deb

Size/MD5 checksum: 714364 09696ca7acac5bab3e3d06a9ae660e62

http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.2-7sarge6_all.deb

Size/MD5 checksum: 166946 32d06bc68ea2265bea556dc2226ed04d

http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge6_all.deb

Size/MD5 checksum: 234778 8de6b4af2fefe62a68ee879ebe7ff883

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge6_all.deb

Size/MD5 checksum: 143970 1a910ea5668693d3a6d2c557f18385a5

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge6_all.deb

Size/MD5 checksum: 219566 d5e35a1d40a6a072b56a49e5a187bd84

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 134122 692423c760d0c010d62303c683ae5b9c

http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 239626 72825b5c797687a684d565b878fc687e

http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 138232 4fb20d59981cae34ab7904013f262f18

http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 827678 93e80a7a28254547b9c8d206e15e8a24

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 796352 b6f60a2f2cdec72d3ccd79e7786ca894

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 153134 dbcd57f97f2317a4f0634e930e138fa3

http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum:1477690 e2795b5de4dbc4530d1047bcace240c1

http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum: 136664 e0ac034c3873b75e375b99322659501b

http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge6_alpha.deb

Size/MD5 checksum:1480146 79b24141759b2b95d2f1ec65c548b620

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum:1447486 800abb11f9c785186e65070ef2828d26

http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum:1393124 bb473bf5d25f7547e320132c9df9e359

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 152322 7df90f3e6035ca5a6faf4cd7d2b69645

http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 649882 6841742c85ec07f2e80a7d6a0901b3e3

http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 136038 9631afc8383ad8b24568a3a7cc13fe4f

http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 137510 bda0b8be47b912e1b3ea91701791a17f

http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 781520 652266305893bb4f2961cbdb56d6e277

http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge6_amd64.deb

Size/MD5 checksum: 234924 2c4b2b0cfd5aa03

参考网址

来源: BID

名称: 25847

链接:http://www.securityfocus.com/bid/25847

来源: svn.ruby-lang.org

链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504

来源: svn.ruby-lang.org

链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502

来源: svn.ruby-lang.org

链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500

来源: svn.ruby-lang.org

链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499

来源: FEDORA

名称: FEDORA-2007-2685

链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html

来源: FEDORA

名称: FEDORA-2007-2406

链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html

来源: FEDORA

名称: FEDORA-2007-718

链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html

来源: MISC

链接:https://bugzilla.redhat.com/show_bug.cgi?id=313791

来源: XF

名称: ruby-nethttps-mitm(36861)

链接:http://xforce.iss.net/xforce/xfdb/36861

来源: BUGTRAQ

名称: 20071112 FLEA-2007-0068-1 ruby

链接:http://www.securityfocus.com/archive/1/archive/1/483577/100/0/threaded

来源: BUGTRAQ

名称: 20070927 Ruby Net::HTTPS library does not validate server certificate CN

链接:http://www.securityfocus.com/archive/1/archive/1/480987/100/0/threaded

来源: REDHAT

名称: RHSA-2007:0965

链接:http://www.redhat.com/support/errata/RHSA-2007-0965.html

来源: REDHAT

名称: RHSA-2007:0961

链接:http://www.redhat.com/support/errata/RHSA-2007-0961.html

来源: SUSE

名称: SUSE-SR:2007:024

链接:http://www.novell.com/linux/security/advisories/2007_24_sr.html

来源: MANDRIVA

名称: MDVSA-2008:029

链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:029

来源: MISC

链接:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

来源: VUPEN

名称: ADV-2007-3340

链接:http://www.frsirt.com/english/advisories/2007/3340

来源: DEBIAN

名称: DSA-1412

链接:http://www.debian.org/security/2007/dsa-1412

来源: DEBIAN

名称: DSA-1411

链接:http://www.debian.org/security/2007/dsa-1411

来源: DEBIAN

名称: DSA-1410

链接:http://www.debian.org/security/2007/dsa-1410

来源: SREASON

名称: 3180

链接:http://securityreason.com/securityalert/3180

来源: SECUNIA

名称: 28645

链接:http://secunia.com/advisories/28645

来源: SECUNIA

名称: 27818

链接:http://secunia.com/advisories/27818

来源: SECUNIA

名称: 27769

链接:http://secunia.com/advisories/27769

来源: SECUNIA

名称: 27764

链接:http://secunia.com/advisories/27764

来源: SECUNIA

名称: 27756

链接:http://secunia.com/advisories/27756

来源: SECUNIA

名称: 27673

链接:http://secunia.com/advisories/27673

来源: SECUNIA

名称: 27576

链接:http://secunia.com/advisories/27576

来源: SECUNIA

名称: 27432

链接:http://secunia.com/advisories/27432

来源: SECUNIA

名称: 27044

链接:http://secunia.com/advisories/27044

来源: SECUNIA

名称: 26985

链接:http://secunia.com/advisories/26985

来源: UBUNTU

名称: USN-596-1

链接:http://www.ubuntu.com/usn/usn-596-1

来源: SECUNIA

名称: 29556

链接:http://secunia.com/advisories/29556

受影响实体

  • Ruby-Lang Ruby:1.8.6  
    <!--
    2000-1-1
    -->
  • Ruby-Lang Ruby:1.8.5  
    <!--
    2000-1-1
    -->

补丁

    暂无