On 06/27 03:31, Jeremy Evans wrote: > Ruby 1.8.7, 1.9.3, and 2.0.0 had security releases today to fix > CVE-2013-4073: Hostname check bypassing vulnerability in SSL client. > http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ > > Exploitation of this vulnerability requires that a trusted CA > issue a certificate with a null byte in the subjectAltName field. > > This will likely be the last patch release of ruby 1.8.7, as it > becomes unsupported upstream next week. > > The 1.9.3 and 2.0.0 releases also contain other bugfixes. > Unfortunately, upstream got sloppy and changed ABI in a patch > release (removing a function, adding some new functions), so this > bumps the majors on libruby19.so and libruby20.so. > > Tested on i386. Compiles fine on amd64, but I still need to do some > additional testing there. Assuming no problems, I will be commiting > this next week.
There have been regressions reported with these new releases, so I won't be committing this until they are fixed: https://bugs.ruby-lang.org/issues/8575 Thanks, Jeremy
