CVE-2009-0642
Published: 20 February 2009
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby1.8 Launchpad, Ubuntu, Debian |
dapper |
Released
(1.8.4-1ubuntu1.7)
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Released
(1.8.6.111-2ubuntu1.3)
|
|
| intrepid |
Released
(1.8.7.72-1ubuntu0.2)
|
|
| jaunty |
Released
(1.8.7.72-3ubuntu0.1)
|
|
| karmic |
Not vulnerable
(1.8.7.174-1)
|
|
| lucid |
Not vulnerable
(1.8.7.174-1)
|
|
| maverick |
Not vulnerable
(1.8.7.174-1)
|
|
| natty |
Not vulnerable
(1.8.7.174-1)
|
|
| oneiric |
Not vulnerable
(1.8.7.174-1)
|
|
| upstream |
Released
(1.8.7.72-3.1)
|
|
|
Patches: upstream: http://redmine.ruby-lang.org/repositories/revision/ruby-187?rev=22857 vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=18;filename=ruby1.8-1.8.7.72-3_1.8.7.72-3.1.patch;att=1;bug=517639 |
||
|
ruby1.9 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Released
(1.9.0.2-7ubuntu1.2)
|
|
| jaunty |
Released
(1.9.0.2-9ubuntu1.1)
|
|
| karmic |
Not vulnerable
(1.9.0.2-9.1ubuntu1)
|
|
| lucid |
Not vulnerable
(1.9.0.2-9.1ubuntu1)
|
|
| maverick |
Does not exist
(pulled 2010-07-27)
|
|
| natty |
Does not exist
(pulled 2010-07-27)
|
|
| oneiric |
Does not exist
(pulled 2010-07-27)
|
|
| upstream |
Released
(1.9.0.2-9.1)
|
|
|
Patches: upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22440 vendor: http://patch-tracking.debian.net/patch/series/view/ruby1.9/1.9.0.2-9.1/931_CVE-2009-0642 |
||