PublicDate: 2007-10-01 05:17:00 UTC
Candidate: CVE-2007-5162
References: 
 https://ubuntu.com/security/notices/USN-596-1
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162
Description:
 The connect method in lib/net/http.rb in the (1) Net::HTTP and (2)
 Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the
 commonName (CN) field in a server certificate matches the domain name in an
 HTTPS request, which makes it easier for remote attackers to intercept SSL
 transmissions via a man-in-the-middle attack or spoofed web site.
Ubuntu-Description: 
Notes: 
 jdstrand> LP bug has debdiffs
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/149616
Priority: low
Discovered-by:
Assigned-to: kees
CVSS: 

Patches_ruby1.8:
 debdiff: https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/149616
dapper_ruby1.8: released (1.8.4-1ubuntu1.4)
edgy_ruby1.8: released (1.8.4-5ubuntu1.3)
feisty_ruby1.8: released (1.8.5-4ubuntu2.1)
gutsy_ruby1.8: released (1.8.6.36-1ubuntu3.1)
devel_ruby1.8: not-affected
upstream_ruby1.8: released (1.8.6.111)

Patches_libopenssl-ruby:
upstream_libopenssl-ruby: released (0.1.4a-1sarge1)
dapper_libopenssl-ruby: not-affected (fixed in ruby1.8)
edgy_libopenssl-ruby: not-affected (fixed in ruby1.8)
feisty_libopenssl-ruby: not-affected (fixed in ruby1.8)
gutsy_libopenssl-ruby: not-affected (fixed in ruby1.8)
hardy_libopenssl-ruby: not-affected (fixed in ruby1.8)
devel_libopenssl-ruby: not-affected (fixed in ruby1.8)