Bug 924184 (CVE-2015-1828) - VUL-0: CVE-2015-1828: http.rb: missing hostname verification MITM vulnerability
Summary: VUL-0: CVE-2015-1828: http.rb: missing hostname verification MITM vulnerability
Status: RESOLVED INVALID
Alias: CVE-2015-1828
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Ruby Devel
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-25 09:20 UTC by Andreas Stieger
Modified: 2015-03-25 11:15 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-03-25 09:20:50 UTC 
Upstream announcement:
https://groups.google.com/d/msg/httprb/jkb4oxwZjkU/283GoNRnx9oJ

[[[
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 24 Mar 2015 17:29:45 -0700
Subject: CVE-2015-1828: HTTPS MitM vulnerability in http.rb
To: httprb@googlegroups.com, rubysec-announce@googlegroups.com, moderators@osvdb.org

Affected versions: all
Fixed versions: 0.7.3

http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check
method to perform hostname verification. Because of this, an attacker with
a valid certificate but with a mismatched subject can perform a MitM attack.

The problem was corrected by calling #post_connection_check.
]]]



Uptream commit:
https://github.com/httprb/http.rb/commit/1b573f62bbff2f92776774484b6c85f0306dc3ae
commit 1b573f62bbff2f92776774484b6c85f0306dc3ae
Author: Zach Anker <zanker@squareup.com>
Date:   Tue Mar 24 13:53:51 2015 -0700

    Ensure we verify SSL certificate identify after connecting (CVE-2015-1828)

Merge:
https://github.com/httprb/http.rb/commit/5e83a6bac86004b36c0af117951b85d7bd28715b
Merge: 5fdaf5d 1b573f6
Author: Tony Arcieri <bascule@gmail.com>
Date:   Tue Mar 24 16:58:22 2015 -0700

    Merge pull request #180 from zanker/zanker/post-verify-checks
    
    Ensure we verify SSL certificate identify after connecting


Changelog:
[[[
* SECURITY FIX: http.rb failed to call the #post_connection_check method
  on SSL connections. This method implements hostname verification, and
  without it http.rb was vulnerable to MitM attacks. The problem was
  corrected by calling #post_connection_check (CVE-2015-1828)
]]]




There is another stability fix on top of that:
commit dcc87a5b8d3cc85fc964a9013f923c5ef83d18c5
Merge: f9abaa9 82e1441
Author: Alexey Zapparov <ixti@member.fsf.org>
Date:   Wed Mar 25 03:09:30 2015 +0100

    Merge pull request #181 from zanker/zanker/sync-close-ssl
    
    Set sync_close when available to avoid leaking sockets

commit 82e144122b12b7e77c69e7e86e73e9ca0b9510e5
Author: Zach Anker <zanker@squareup.com>
Date:   Tue Mar 24 13:57:25 2015 -0700

    Set sync_close when available to avoid leaking sockets
Comment 2 Marcus Rückert 2015-03-25 10:44:44 UTC 
[http.rb](https://rubygems.org/gems/http.rb) is not ruby.

Ruby itself does it right.
Comment 3 Andreas Stieger 2015-03-25 11:15:50 UTC 
It seems that we do not ship this code.