https://redmine.ruby-lang.org/
https://redmine.ruby-lang.org/favicon.ico?1711330511
2014-03-17T01:36:52Z
Ruby Issue Tracking System
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=45832
2014-03-17T01:36:52Z
nobu (Nobuyoshi Nakada)
nobu@ruby-lang.org
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/45832/diff?detail_id=33077">diff</a>)</li><li><strong>Category</strong> set to <i>ext/openssl</i></li><li><strong>Status</strong> changed from <i>Open</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>MartinBosslet (Martin Bosslet)</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>5</i></li><li><strong>Target version</strong> set to <i>2.2.0</i></li><li><strong>Backport</strong> changed from <i>2.0.0: UNKNOWN, 2.1: UNKNOWN</i> to <i>1.9.3: REQUIRED, 2.0.0: REQUIRED, 2.1: REQUIRED</i></li></ul><p>Seems no wildcard tests.</p>
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=52106
2015-04-11T05:53:09Z
hansdegraaff (Hans de Graaff)
hans@degraaff.org
<ul></ul><p>It looks like this is fixed with <a href="https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596" class="external">https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596</a> which is related to <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1209981" class="external">https://bugzilla.redhat.com/show_bug.cgi?id=1209981</a></p>
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=52141
2015-04-13T13:09:45Z
nagachika (Tomoyuki Chikanaga)
nagachika00@gmail.com
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset r50292.</p>
<hr>
<ul>
<li>ext/openssl/lib/openssl/ssl.rb: stricter hostname verification<br>
following RFC 6125. with the patch provided by Tony Arcieri and<br>
Hiroshi Nakamura <a href="/issues/9644">[ruby-core:61545]</a> [Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much (Closed)" href="https://redmine.ruby-lang.org/issues/9644">#9644</a>]</li>
<li>test/openssl/test_ssl.rb: add tests for above.</li>
</ul>
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=52142
2015-04-13T13:15:13Z
nagachika (Tomoyuki Chikanaga)
nagachika00@gmail.com
<ul><li><strong>Backport</strong> changed from <i>1.9.3: REQUIRED, 2.0.0: REQUIRED, 2.1: REQUIRED</i> to <i>1.9.3: REQUIRED, 2.0.0: REQUIRED, 2.1: DONE</i></li></ul><p>Backported into <code>ruby_2_2</code> branch at r50293.</p>
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=52143
2015-04-13T13:16:58Z
usa (Usaku NAKAMURA)
usa@garbagecollect.jp
<ul><li><strong>Backport</strong> changed from <i>1.9.3: REQUIRED, 2.0.0: REQUIRED, 2.1: DONE</i> to <i>1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE</i></li></ul><p>ruby_2_0_0 r50294 merged revision(s) 50292.</p>
Ruby master - Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
https://redmine.ruby-lang.org/issues/9644?journal_id=52265
2015-04-28T00:40:31Z
terceiro (Antonio Terceiro)
asa@terceiro.xyz
<ul><li><strong>File</strong> <a href="/attachments/5192">CVE-2015-1855.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/5192/CVE-2015-1855.patch">CVE-2015-1855.patch</a> added</li></ul><p>Hi,</p>
<p>I was able to backport the patch to Ruby 1.9.3, and it will be included in a Debian wheezy security update soon. I am attaching the patch here.</p>