Bugzilla – Bug 936032
VUL-0: CVE-2015-3900: ruby,ruby19,ruby2.1: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 doesnot validate the hostn...
Last modified: 2023-09-12 09:31:35 UTC
CVE-2015-3900 http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." affectedness: RubyGems versions between 2.0 and 2.4.6 are vulnerable. RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this issue. Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded versions of RubyGems. (we do not seem to ship "rubygems" package itself in that version range, but sufficient numbers of ruby.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900 http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62111
bugbot adjusting priority
the patch can't be applied to ruby1.9 since it is for a method (api_endpoint) which was introduced in version 2.0.0
API host resolution via SRV records was added on 2.0.0, thus it should not affect 1.9.* version. https://github.com/rubygems/rubygems/commit/92cbd52f10f7b1ab45f7d12537e720587160f6c5
In Ruby 2.2.3, 2.1.7, 2.0.0-p647: https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-2-3-released/ https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-1-7-released/ https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-0-0-p647-released/ > We are pleased to announce the release of Ruby 2.2.3. This is a TEENY version > release of the stable 2.2 series. > > This release includes the security fix for a RubyGems domain name verification > vulnerability. > > CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 24, 2015". When done, reassign the bug to "security-team@suse.de". /update/121177/.
sle11: we ship a rubygems 1.8.15 there. which shouldnt be affected either just as ruby19 sle12 handled by upgrade to 2.1.9 Leap: i will upgrade 2.2 and 2.3 packages to latest as well.
SUSE-SU-2017:1067-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ruby2.1-2.1.9-15.1 OpenStack Cloud Magnum Orchestration 7 (src): ruby2.1-2.1.9-15.1
openSUSE-SU-2017:1128-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: openSUSE Leap 42.2 (src): ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1 (src): ruby2.1-2.1.9-10.2
fixed