Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Hi, * akira yamada [EMAIL PROTECTED] [2007-11-15 16:19]: [...] The code you quoted is in the ruby1.9 package but _not_ in the ruby1.8 package. ruby1.8 source package uses cdbs and dpatch. please apply patches. Thank you, I somehow missed the patch. I thought I looked at it. Thanks, I marked this bug as fixed in that version. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgppRjYGKmY7c.pgp Description: PGP signature
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Package: ruby1.8 Version: 1.8.5-4 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ruby1.8. CVE-2007-5770[0]: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, | and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that | the commonName (CN) field in a server certificate matches the domain | name in a request sent over SSL, which makes it easier for remote | attackers to intercept SSL transmissions via a man-in-the-middle | attack or spoofed web site, different components than CVE-2007-5162. If you fix this vulnerability please also include the CVE id in your changelog entry. This is fixed in the unstable ruby1.9 package. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpHEeJDWfT7W.pgp Description: PGP signature
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Hi, Package: ruby1.8 Version: 1.8.5-4 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ruby1.8. CVE-2007-5770[0]: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, | and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that | the commonName (CN) field in a server certificate matches the domain | name in a request sent over SSL, which makes it easier for remote | attackers to intercept SSL transmissions via a man-in-the-middle | attack or spoofed web site, different components than CVE-2007-5162. I already fixed the bugs and sent new packages to Debian security team. Note: Net::POP in ruby1.8 and earlier version of ruby1.9 does not support SSL. -- ay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Hi, At least the telnets code in ruby1.8 (unstable) is not fixed. Do I miss anything? The fix is in net/telnets.rb. 137 if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE 138@sock.post_connection_check(@options['Host']) 139 end Thank you. -- ay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Hi akira, * akira yamada [EMAIL PROTECTED] [2007-11-15 15:15]: Package: ruby1.8 Version: 1.8.5-4 Severity: important Tags: security [...] CVE-2007-5770[0]: | The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, | and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that | the commonName (CN) field in a server certificate matches the domain | name in a request sent over SSL, which makes it easier for remote | attackers to intercept SSL transmissions via a man-in-the-middle | attack or spoofed web site, different components than CVE-2007-5162. I already fixed the bugs and sent new packages to Debian security team. Note: Net::POP in ruby1.8 and earlier version of ruby1.9 does not support SSL. At least the telnets code in ruby1.8 (unstable) is not fixed. Do I miss anything? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpBWquEgaCJk.pgp Description: PGP signature
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
It's not: [EMAIL PROTECTED]:tmp$] LC_ALL=C apt-get source ruby1.8 Reading package lists... Done Building dependency tree Reading state information... Done Need to get 4593kB of source archives. Get:1 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (dsc) [1061B] Get:2 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (tar) [4548kB] Get:3 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (diff) [44.0kB] Fetched 4593kB in 9s (460kB/s) dpkg-source: extracting ruby1.8 in ruby1.8-1.8.6.111 dpkg-source: unpacking ruby1.8_1.8.6.111.orig.tar.gz dpkg-source: applying ./ruby1.8_1.8.6.111-2.diff.gz [EMAIL PROTECTED]:tmp$] cd ruby1.8-1.8.6.111 [EMAIL PROTECTED]:ruby1.8-1.8.6.111$] grep VerifyMode ext/openssl/lib/net/telnets.rb 'VerifyMode' = SSL::VERIFY_PEER, 'VerifyMode' = SSL::VERIFY_PEER, @sock.verify_mode = @options['VerifyMode'] The code you quoted is in the ruby1.9 package but _not_ in the ruby1.8 package. ruby1.8 source package uses cdbs and dpatch. please apply patches. Thank you. -- ay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#451374: CVE-2007-5770 unauthorized disclosure of information
Hi akira, * akira yamada [EMAIL PROTECTED] [2007-11-15 15:40]: At least the telnets code in ruby1.8 (unstable) is not fixed. Do I miss anything? The fix is in net/telnets.rb. 137 if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE 138@sock.post_connection_check(@options['Host']) 139 end Thank you. It's not: [EMAIL PROTECTED]:tmp$] LC_ALL=C apt-get source ruby1.8 Reading package lists... Done Building dependency tree Reading state information... Done Need to get 4593kB of source archives. Get:1 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (dsc) [1061B] Get:2 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (tar) [4548kB] Get:3 http://debian.netcologne.de unstable/main ruby1.8 1.8.6.111-2 (diff) [44.0kB] Fetched 4593kB in 9s (460kB/s) dpkg-source: extracting ruby1.8 in ruby1.8-1.8.6.111 dpkg-source: unpacking ruby1.8_1.8.6.111.orig.tar.gz dpkg-source: applying ./ruby1.8_1.8.6.111-2.diff.gz [EMAIL PROTECTED]:tmp$] cd ruby1.8-1.8.6.111 [EMAIL PROTECTED]:ruby1.8-1.8.6.111$] grep VerifyMode ext/openssl/lib/net/telnets.rb 'VerifyMode' = SSL::VERIFY_PEER, 'VerifyMode' = SSL::VERIFY_PEER, @sock.verify_mode = @options['VerifyMode'] The code you quoted is in the ruby1.9 package but _not_ in the ruby1.8 package. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpeLBnooE7kB.pgp Description: PGP signature