[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1JKU65-0002o0-Qy@artemis.annvix.ca>
Date: Thu, 31 Jan 2008 00:44:33 -0700
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2008:029 ] - Updated ruby packages fix possible
man-in-the-middle attack
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:029
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ruby
Date : January 31, 2008
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Ruby network libraries Net::HTTP, Net::IMAP, Net::FTPTLS, Net::Telnet,
Net::POP3, and Net::SMTP, up to Ruby version 1.8.6 are affected by a
possible man-in-the-middle attack, when using SSL, due to a missing
check of the CN (common name) attribute in SSL certificates against
the server's hostname.
The updated packages have been patched to prevent the issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
7d6503b580cadab905ac3ef4fde32495 2007.0/i586/ruby-1.8.5-2.3mdv2007.0.i586.rpm
03f626e55f2da3d50e4af6a625f2d981 2007.0/i586/ruby-devel-1.8.5-2.3mdv2007.0.i586.rpm
a286449f58ebbb35ef96b104e8148394 2007.0/i586/ruby-doc-1.8.5-2.3mdv2007.0.i586.rpm
8124af6a429b10089ef3671f36285f81 2007.0/i586/ruby-tk-1.8.5-2.3mdv2007.0.i586.rpm
c542b49863e6407a3563e4bcf9207fbc 2007.0/SRPMS/ruby-1.8.5-2.3mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
1488eb95c352a23961ad3729108aab31 2007.0/x86_64/ruby-1.8.5-2.3mdv2007.0.x86_64.rpm
729771da6e301b5c7b5754f95c85e478 2007.0/x86_64/ruby-devel-1.8.5-2.3mdv2007.0.x86_64.rpm
69827a0c924ffd3da5e084ea04e36fef 2007.0/x86_64/ruby-doc-1.8.5-2.3mdv2007.0.x86_64.rpm
cb12889526c54ed686c327c137f1320c 2007.0/x86_64/ruby-tk-1.8.5-2.3mdv2007.0.x86_64.rpm
c542b49863e6407a3563e4bcf9207fbc 2007.0/SRPMS/ruby-1.8.5-2.3mdv2007.0.src.rpm
Mandriva Linux 2007.1:
615468da1639248f8c60d7a8ef575d1b 2007.1/i586/ruby-1.8.5-5.1mdv2007.1.i586.rpm
cda9083dd1e1df7c4a49db1e0ec20008 2007.1/i586/ruby-devel-1.8.5-5.1mdv2007.1.i586.rpm
0268152c83d14133ac35cc7ee52cf60a 2007.1/i586/ruby-doc-1.8.5-5.1mdv2007.1.i586.rpm
c1c580dfddc099a2af9c61b33b9f0a2f 2007.1/i586/ruby-tk-1.8.5-5.1mdv2007.1.i586.rpm
3d221074342e5f457373ab1aff977a96 2007.1/SRPMS/ruby-1.8.5-5.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
89de1e6816cc708d5401200405be508f 2007.1/x86_64/ruby-1.8.5-5.1mdv2007.1.x86_64.rpm
4e0003bc558584d6f95716d8818388ce 2007.1/x86_64/ruby-devel-1.8.5-5.1mdv2007.1.x86_64.rpm
87a5495beeb8138292aab40ce099b07b 2007.1/x86_64/ruby-doc-1.8.5-5.1mdv2007.1.x86_64.rpm
128ce81eeb4168cb915696f76d15c448 2007.1/x86_64/ruby-tk-1.8.5-5.1mdv2007.1.x86_64.rpm
3d221074342e5f457373ab1aff977a96 2007.1/SRPMS/ruby-1.8.5-5.1mdv2007.1.src.rpm
Mandriva Linux 2008.0:
279f855dd2f179827968d9c9a6ee60ee 2008.0/i586/ruby-1.8.6-5.1mdv2008.0.i586.rpm
454911b3e84a0de35e9905eadeba6852 2008.0/i586/ruby-devel-1.8.6-5.1mdv2008.0.i586.rpm
0bdf3776e48c584eb05db2d96675957b 2008.0/i586/ruby-doc-1.8.6-5.1mdv2008.0.i586.rpm
7a857b992180398881e396cb802d0274 2008.0/i586/ruby-tk-1.8.6-5.1mdv2008.0.i586.rpm
c5f286aee44c6d309fd12248d68856dc 2008.0/SRPMS/ruby-1.8.6-5.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
05e24b17c69c26e10cf48c4f83c095f9 2008.0/x86_64/ruby-1.8.6-5.1mdv2008.0.x86_64.rpm
c7bb81a0ef557c621016a8c5468d9022 2008.0/x86_64/ruby-devel-1.8.6-5.1mdv2008.0.x86_64.rpm
e550ae1cb99aa67711acb5d6c6af64ac 2008.0/x86_64/ruby-doc-1.8.6-5.1mdv2008.0.x86_64.rpm
a8981603df024791c9e1d273717ce5f9 2008.0/x86_64/ruby-tk-1.8.6-5.1mdv2008.0.x86_64.rpm
c5f286aee44c6d309fd12248d68856dc 2008.0/SRPMS/ruby-1.8.6-5.1mdv2008.0.src.rpm
Corporate 3.0:
bd239b9b3ed6a8fd456f42a399bc79f8 corporate/3.0/i586/ruby-1.8.1-1.9.C30mdk.i586.rpm
585ed391895ecc23a09ea55ed7bc0a8c corporate/3.0/i586/ruby-devel-1.8.1-1.9.C30mdk.i586.rpm
c5d6ef08a414db182d937426c6aeecd3 corporate/3.0/i586/ruby-doc-1.8.1-1.9.C30mdk.i586.rpm
c87e858fede1106544bb925d594f1964 corporate/3.0/i586/ruby-tk-1.8.1-1.9.C30mdk.i586.rpm
b53c77b5e98f20209db9b932b8a4734d corporate/3.0/SRPMS/ruby-1.8.1-1.9.C30mdk.src.rpm
Corporate 3.0/X86_64:
6487b1d817b08f91074961f6c42a136a corporate/3.0/x86_64/ruby-1.8.1-1.9.C30mdk.x86_64.rpm
0277376e6ef0897fd024b5e9ec9a8a06 corporate/3.0/x86_64/ruby-devel-1.8.1-1.9.C30mdk.x86_64.rpm
6ee5839e1af2c82da8ef604f83601e21 corporate/3.0/x86_64/ruby-doc-1.8.1-1.9.C30mdk.x86_64.rpm
89ecdfcd225bc24a1437e0f09e513ba9 corporate/3.0/x86_64/ruby-tk-1.8.1-1.9.C30mdk.x86_64.rpm
b53c77b5e98f20209db9b932b8a4734d corporate/3.0/SRPMS/ruby-1.8.1-1.9.C30mdk.src.rpm
Corporate 4.0:
311e14d160453952e4cc0e91599185d3 corporate/4.0/i586/ruby-1.8.2-7.6.20060mlcs4.i586.rpm
3857b0d6eff2a26f606aa2701819a470 corporate/4.0/i586/ruby-devel-1.8.2-7.6.20060mlcs4.i586.rpm
9f845778ef2cfc4089a787f8f971fba6 corporate/4.0/i586/ruby-doc-1.8.2-7.6.20060mlcs4.i586.rpm
f4712a52ee18d33bd17f19c5ee5b83ae corporate/4.0/i586/ruby-tk-1.8.2-7.6.20060mlcs4.i586.rpm
b0fbb9a741865d6a378336797b72a971 corporate/4.0/SRPMS/ruby-1.8.2-7.6.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
6ecf49a09a4ab595cd6ff04912a5370a corporate/4.0/x86_64/ruby-1.8.2-7.6.20060mlcs4.x86_64.rpm
821ad33b361e6c5918f530b6778b3cbe corporate/4.0/x86_64/ruby-devel-1.8.2-7.6.20060mlcs4.x86_64.rpm
1b2bbb2e933e7a2d16d997de3989e8dd corporate/4.0/x86_64/ruby-doc-1.8.2-7.6.20060mlcs4.x86_64.rpm
e2837b0b88730df0bc25474bcd47e7df corporate/4.0/x86_64/ruby-tk-1.8.2-7.6.20060mlcs4.x86_64.rpm
b0fbb9a741865d6a378336797b72a971 corporate/4.0/SRPMS/ruby-1.8.2-7.6.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
iD8DBQFHoVEDmqjQ0CJFipgRApWRAKCpvtRx3iwu7kfBHy0oa1SEEr8/OACfbk5V
GOLYVR7cWoNtorl6m1S9p28=
=QfTa
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists