Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-1411-1 libopenssl-ruby -- programming error

Date Reported:

24 Nov 2007

Affected Packages:

libopenssl-ruby

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2007-5162, CVE-2007-5770.

More information:

Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2007-5162

  It was discovered that the Ruby HTTP(S) module performs insufficient validation of SSL certificates, which may lead to man-in-the-middle attacks.

• CVE-2007-5770

  It was discovered that the Ruby modules for FTP, Telnet, IMAP, POP and SMTP perform insufficient validation of SSL certificates, which may lead to man-in-the-middle attacks.

For the old stable distribution (sarge) these problems have been fixed in version 0.1.4a-1sarge1. Packages for sparc will be provided later.

The stable distribution (etch) no longer contains libopenssl-ruby.

We recommend that you upgrade your libopenssl-ruby packages.

Fixed in:

Debian GNU/Linux 3.1 (oldstable)

Source:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby_0.1.4a-1sarge1.diff.gz

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby_0.1.4a.orig.tar.gz

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby_0.1.4a-1sarge1.dsc

Alpha:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_arm.deb

HP Precision:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_hppa.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_ia64.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_m68k.deb

Big-endian MIPS:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_mips.deb

Little-endian MIPS:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/libo/libopenssl-ruby/libopenssl-ruby1.6_0.1.4a-1sarge1_s390.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk Deutsch français 日本語 (Nihongo) svenska

How to set the default document language