Upstream has issued an advisory on April 13: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ The issue is fixed in 2.0.0-p645: https://www.ruby-lang.org/en/news/2015/04/13/ruby-2-0-0-p645-released/ Mageia 4 and Mageia 5 are affected. The 2.0.0-p645 release announcement also notes that ruby 2.0.0 will only be supported until February 2016, thus not covering Mageia 5's lifetime. What shall we do? Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
There is not much we can do for Mageia 5, 2.1 was not supported widely enough when the ruby stack was updated from 1.9.x for Mageia 4. For Mageia 5 I spent a lot of time on Java stuff and didn't spend any time on Ruby :( 2.1 would have been a better choice for Mageia 5, especially given that it ended up being the version in Debian Jessie and Ubuntu 15.04 but it is too late. Committed for Mageia 5 and requested push, submitted for Mageia 4. Looking at testing.
How much other stuff would be required to update and/or rebuild if we updated to Ruby 2.1.x? I'm just thinking is it feasible as something that could be done as an update later.
BTW, thanks for working on this Pascal. Enjoy your trip!
I wondered about it, but hard to know. Most packages should be fine but unfortunatly a lot of ruby modules ship without their tests for some reason which make it difficult to detect the ones that break. Given the number of ruby packages (500 or 600 I believe) I'll think about something semi automated like looking at versions / patches in fedora 22 / debian / ubuntu... and assuming this is fine if they have the version we already have and no patch.
Based on the tests, here is a small version to test that the old version was vulnerable, it should print "Failed" 3 times: ===== require 'openssl' def create_cert_with_san(san) ef = OpenSSL::X509::ExtensionFactory.new cert = OpenSSL::X509::Certificate.new cert.subject = OpenSSL::X509::Name.parse("/DC=some/DC=site/CN=Some Site") ext = ef.create_ext('subjectAltName', san) cert.add_extension(ext) cert end [['DNS:www.*.com', 'www.example.com'], ['DNS:*b*.example.com', 'abc.example.com'], ['DNS:xn--*.example.com', 'xn--1ca.example.com'], ].each{|t| puts "Failed" if OpenSSL::SSL.verify_certificate_identity(create_cert_with_san(t[0]), t[1]) } ===== The new version should not print anything.
Updated packages uploaded for Mageia 4 and Cauldron. Please note the PoC in Comment 5. Testing complete Mageia 4 i586 using the PoC, verified expected results before (Failed) and after (no output) the update. Advisory: ======================== Updated ruby packages fix security vulnerability: Ruby OpenSSL hostname matching implementation violates RFC 6125 (CVE-2015-1855). The ruby package has been updated to version 2.0.0-p645, which fixes this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855 https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ https://www.ruby-lang.org/en/news/2015/04/13/ruby-2-0-0-p645-released/ https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156431.html ======================== Updated packages in core/updates_testing: ======================== ruby-2.0.0.p645-1.mga4 libruby2.0-2.0.0.p645-1.mga4 ruby-doc-2.0.0.p645-1.mga4 ruby-devel-2.0.0.p645-1.mga4 ruby-tk-2.0.0.p645-1.mga4 ruby-irb-2.0.0.p645-1.mga4 from ruby-2.0.0.p645-1.mga4.src.rpm
CC: (none) => pterjanVersion: Cauldron => 4Assignee: pterjan => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure MGA4-32-OKSeverity: normal => major
Testing complete mga4 64 using the PoC in irb, thanks Pascal. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0178.html
Status: NEW => RESOLVEDResolution: (none) => FIXED