Arch Linux Security Advisory ASA-201504-13 ========================================== Severity: Medium Date : 2015-04-14 CVE-ID : CVE-2015-1855 Package : ruby Type : permissive certificate verification Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package ruby before version 2.2.2-1 is vulnerable to permissive certificate verification via matching of hostnames. Resolution ========== Upgrade to 2.2.2-1. # pacman -Syu "ruby>=2.2.2-1" The problem has been fixed upstream in version 2.2.2. Workaround ========== None. Description =========== After reviewing RFC 6125 and RFC 5280, multiple violations were found of matching hostnames and particularly wildcard certificates. Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive. This change will take affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior. Specifically: - Only one wildcard character in the left-most part of the hostname is allowed. - IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’). - Subject/SAN should be limited to ASCII characters only. Impact ====== A remote attacker can make use of the overly permissive hostname matching during certificate verifications to perform a man-in-the-middle attack by spoofing SSL servers via a crafted certificate. References ========== https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-... https://access.redhat.com/security/cve/CVE-2015-1855 https://bugs.ruby-lang.org/issues/9644