Bugzilla – Bug 926974
VUL-0: CVE-2015-1855: ruby: Ruby OpenSSL Hostname Verification
Last modified: 2017-10-26 07:58:53 UTC
Via ruby-sec-annouce: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492. Similar issues were found in Python. This vulnerability has been assigned the CVE identifier CVE-2015-1855. We strongly recommend you upgrade Ruby. Details After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates. Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive. This change will take affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior. Specifically: Only one wildcard character in the left-most part of the hostname is allowed. IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’). Subject/SAN should be limited to ASCII characters only. All users running an affected release should upgrade immediately. Affected versions All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 645 All ruby 2.1 versions prior to ruby 2.1.6 All ruby 2.2 versions prior to ruby 2.2.2 prior to trunk revision 50292 Credits Thanks to Tony Arcieri, Jeffrey Walton, and Steffan Ullrich for reporting this issue. Originally reported as Bug #9644, and patches submitted by Tony Arcieri and Hiroshi Nakamura. History Originally published at 2015-04-13 12:00:00 (UTC) Upstream bug: https://bugs.ruby-lang.org/issues/9644 Upstream commit trunk: https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/50292 Upstream commit backport 2.2: https://bugs.ruby-lang.org/projects/backport22/repository/revisions/50293 Upstream commit backport 2.1: https://bugs.ruby-lang.org/projects/ruby-21/repository/revisions/50296 Upstream commit backport 2.0: https://bugs.ruby-lang.org/projects/ruby-200/repository/revisions/50294
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62111
SUSE-SU-2015:1889-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 926974,939860 CVE References: CVE-2009-5147,CVE-2015-1855 Sources used: SUSE Studio Onsite 1.3 (src): ruby19-1.9.3.p392-0.23.1
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 24, 2015". When done, reassign the bug to "security-team@suse.de". /update/121177/.
https://github.com/ruby/openssl/pull/60 https://github.com/ruby/openssl/pull/60/commits/028e495734e9e6aa5dba1a2e130b08f66cf31a21 https://github.com/ruby/openssl/pull/60/commits/6c387d4cf1e9cc1a304cb71260079ba9a8db022d
we decided to skip the pull request for now. we should wait for 2.4 getting more widely adapted and then handled in all the extensions. as example see: https://github.com/glaszig/logstash-logger/commit/19355a2346f2cf31a415fa8c7b8472e63a84f092
reproducer https://github.com/vpereira/CVE-2015-1855
SUSE-SU-2017:0948-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 926974,959495,986630 CVE References: CVE-2015-1855,CVE-2015-7551 Sources used: SUSE Webyast 1.3 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Studio Onsite 1.3 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Server 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Lifecycle Management Server 1.3 (src): ruby-1.8.7.p357-0.9.19.1
SUSE-SU-2017:1067-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ruby2.1-2.1.9-15.1 OpenStack Cloud Magnum Orchestration 7 (src): ruby2.1-2.1.9-15.1
openSUSE-SU-2017:1128-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: openSUSE Leap 42.2 (src): ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1 (src): ruby2.1-2.1.9-10.2
released