Candidate: CVE-2015-3900 PublicDate: 2015-06-24 14:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900 https://github.com/rubygems/rubygems/commit/6bbee35 https://github.com/rubygems/rubygems/commit/5c7bfb5 http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html Description: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." Ubuntu-Description: Notes: tyhicks> rubygems is for users of ruby1.8. ruby1.9.1 and jruby ship an embedded rubygems. seth-arnold> I have doubts this patch actually addresses DNS hijacking adequately; this may properly restrict SRV records, but what verifies subsequent lookups to ensure the returned IPs aren't under attacker control? Marking 'low' as a result. Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790111 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790119 Priority: low Discovered-by: Jonathan Claudius Assigned-to: CVSS: Patches_rubygems: upstream_rubygems: released (2.0.16, 2.2.4, 2.4.7) precise_rubygems: not-affected trusty_rubygems: DNE trusty/esm_rubygems: DNE utopic_rubygems: DNE vivid_rubygems: DNE vivid/stable-phone-overlay_rubygems: DNE vivid/ubuntu-core_rubygems: DNE wily_rubygems: DNE devel_rubygems: DNE Patches_ruby1.9.1: upstream_ruby1.9.1: not-affected precise_ruby1.9.1: not-affected trusty_ruby1.9.1: not-affected trusty/esm_ruby1.9.1: DNE (trusty was not-affected) utopic_ruby1.9.1: not-affected vivid_ruby1.9.1: not-affected vivid/stable-phone-overlay_ruby1.9.1: DNE vivid/ubuntu-core_ruby1.9.1: DNE wily_ruby1.9.1: DNE devel_ruby1.9.1: DNE Patches_jruby: upstream_jruby: not-affected precise_jruby: not-affected trusty_jruby: not-affected trusty/esm_jruby: not-affected utopic_jruby: not-affected vivid_jruby: not-affected vivid/stable-phone-overlay_jruby: DNE vivid/ubuntu-core_jruby: DNE wily_jruby: not-affected devel_jruby: not-affected Patches_libgems-ruby: upstream_libgems-ruby: not-affected precise_libgems-ruby: DNE trusty_libgems-ruby: DNE trusty/esm_libgems-ruby: DNE utopic_libgems-ruby: DNE vivid_libgems-ruby: DNE vivid/stable-phone-overlay_libgems-ruby: DNE vivid/ubuntu-core_libgems-ruby: DNE wily_libgems-ruby: DNE devel_libgems-ruby: DNE Patches_ruby1.8: upstream_ruby1.8: not-affected precise_ruby1.8: not-affected trusty_ruby1.8: DNE trusty/esm_ruby1.8: DNE utopic_ruby1.8: DNE vivid_ruby1.8: DNE vivid/stable-phone-overlay_ruby1.8: DNE vivid/ubuntu-core_ruby1.8: DNE wily_ruby1.8: DNE devel_ruby1.8: DNE Patches_ruby2.2: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 upstream_ruby2.2: released (2.2.2-3) precise_ruby2.2: DNE trusty_ruby2.2: DNE trusty/esm_ruby2.2: DNE utopic_ruby2.2: DNE vivid_ruby2.2: DNE vivid/stable-phone-overlay_ruby2.2: DNE vivid/ubuntu-core_ruby2.2: DNE wily_ruby2.2: not-affected (2.2.2-3) devel_ruby2.2: not-affected (2.2.2-3) Patches_ruby2.3: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 upstream_ruby2.3: needs-triage precise_ruby2.3: DNE trusty_ruby2.3: DNE trusty/esm_ruby2.3: DNE utopic_ruby2.3: DNE vivid_ruby2.3: DNE vivid/stable-phone-overlay_ruby2.3: DNE vivid/ubuntu-core_ruby2.3: DNE wily_ruby2.3: DNE devel_ruby2.3: not-affected Patches_ruby2.1: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 upstream_ruby2.1: released (2.1.5-4) precise_ruby2.1: DNE trusty_ruby2.1: DNE trusty/esm_ruby2.1: DNE utopic_ruby2.1: ignored (reached end-of-life) vivid_ruby2.1: ignored (reached end-of-life) vivid/stable-phone-overlay_ruby2.1: DNE vivid/ubuntu-core_ruby2.1: DNE wily_ruby2.1: not-affected (2.1.5-4ubuntu1) devel_ruby2.1: DNE