FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Ruby -- OpenSSL Hostname Verification Vulnerability

Affected packages
2.0,1 <= ruby < 2.0.0.645,1
2.0,1 <= ruby20 < 2.0.0.645,1
2.1,1 <= ruby < 2.1.6,1
2.1,1 <= ruby21 < 2.1.6,1
2.2,1 <= ruby < 2.2.2,1
2.2,1 <= ruby22 < 2.2.2,1

Details

VuXML ID d4379f59-3e9b-49eb-933b-61de4d0b0fdb
Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.

[source]

References

CVE Name CVE-2015-1855
URL https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.