[arch-security] [ASA-201504-13] ruby: permissive certificate verification
anthraxx at archlinux.org
Tue Apr 14 15:07:37 UTC 2015
Arch Linux Security Advisory ASA-201504-13
Date : 2015-04-14
CVE-ID : CVE-2015-1855
Package : ruby
Type : permissive certificate verification
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package ruby before version 2.2.2-1 is vulnerable to permissive
certificate verification via matching of hostnames.
Upgrade to 2.2.2-1.
# pacman -Syu "ruby>=2.2.2-1"
The problem has been fixed upstream in version 2.2.2.
After reviewing RFC 6125 and RFC 5280, multiple violations were found of
matching hostnames and particularly wildcard certificates.
Ruby’s OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by these
RFCs. In particular, matching of more than one wildcard per subject/SAN
is no-longer allowed. As well, comparison of these values are now
This change will take affect Ruby’s
- Only one wildcard character in the left-most part of the hostname is
- IDNA names can now only be matched by a simple wildcard (e.g.
- Subject/SAN should be limited to ASCII characters only.
A remote attacker can make use of the overly permissive hostname
matching during certificate verifications to perform a man-in-the-middle
attack by spoofing SSL servers via a crafted certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security