[FREEBSD:D4379F59-3E9B-49EB-933B-61DE4D0B0FDB] Ruby -- OpenSSL Hostname Verification Vulnerability

Severity Medium

Affected Packages 3

CVEs 1

Ruby Developers report:

  After reviewing RFC 6125 and RFC 5280, we found multiple violations
    of matching hostnames and particularly wildcard certificates.
  Ruby’s OpenSSL extension will now provide a string-based matching
    algorithm which follows more strict behavior, as recommended by
    these RFCs. In particular, matching of more than one wildcard per
    subject/SAN is no-longer allowed. As well, comparison of these
    values are now case-insensitive.

Package	Affected Version
pkg:freebsd/ruby	< 2.0.0.645,1
pkg:freebsd/ruby	< 2.1.6,1
pkg:freebsd/ruby	< 2.2.2,1

ID

FREEBSD:D4379F59-3E9B-49EB-933B-61DE4D0B0FDB

Severity

medium

Severity from

CVE-2015-1855

URL

http://vuxml.freebsd.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html

Published

2015-04-13T00:00:00
(9 years ago)

Modified

2015-04-14T00:00:00
(9 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:freebsd/ruby		ruby	< 2.0.0.645,1
Affected	pkg:freebsd/ruby		ruby	< 2.1.6,1
Affected	pkg:freebsd/ruby		ruby	< 2.2.2,1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date