CVE-2013-4073
Published: 28 June 2013
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Notes
Author | Note |
---|---|
mdeslaur | possible regression: https://bugs.ruby-lang.org/issues/8575 |
Priority
Status
Package | Release | Status |
---|---|---|
ruby1.8 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(1.8.7.352-2ubuntu1.3)
|
|
quantal |
Released
(1.8.7.358-4ubuntu0.3)
|
|
raring |
Released
(1.8.7.358-7ubuntu1.1)
|
|
upstream |
Released
(1.8.7 patchlevel 374)
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f (1.8.7) upstream: https://github.com/ruby/ruby/commit/a3a62f87e144be31b9ca8ad6415b207f43f4e126 (regression - trunk) |
||
ruby1.9.1 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(1.9.3.0-1ubuntu2.7)
|
|
quantal |
Released
(1.9.3.194-1ubuntu1.5)
|
|
raring |
Released
(1.9.3.194-8.1ubuntu1.1)
|
|
upstream |
Released
(1.9.3 patchlevel 448)
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/2669b84d407ab431e965145c827db66c91158f89 (1.9.3) upstream: https://github.com/ruby/ruby/commit/a3a62f87e144be31b9ca8ad6415b207f43f4e126 (regression - trunk) |