Debian Bug report logs - #714541
ruby1.8: CVE-2013-4073: Hostname check bypassing vulnerability in SSL client

version graph

Package: ruby1.8; Maintainer for ruby1.8 is akira yamada <akira@debian.org>; Source for ruby1.8 is src:ruby1.8.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 30 Jun 2013 16:12:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in versions ruby1.8/1.8.7.358-7, ruby1.8/1.8.7.302-2

Fixed in version ruby1.8/1.8.7.358-7.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8. (Sun, 30 Jun 2013 16:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>. (Sun, 30 Jun 2013 16:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby1.8: CVE-2013-4073: Hostname check bypassing vulnerability in SSL client
Date: Sun, 30 Jun 2013 18:08:56 +0200
Package: ruby1.8
Severity: normal
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for ruby1.8.

CVE-2013-4073[0]:
Hostname check bypassing vulnerability in SSL client

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073
    http://security-tracker.debian.org/tracker/CVE-2013-4073
[1] http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
[2] https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f

(note the patch[2] contains a typo and need the follow up patch too).

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Severity set to 'grave' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 30 Jun 2013 16:15:09 GMT) Full text and rfc822 format available.

Marked as found in versions ruby1.8/1.8.7.302-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 06 Jul 2013 12:18:04 GMT) Full text and rfc822 format available.

Marked as found in versions ruby1.8/1.8.7.358-7. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 06 Jul 2013 12:18:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8. (Sat, 06 Jul 2013 15:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sat, 06 Jul 2013 15:48:07 GMT) Full text and rfc822 format available.

Message #16 received at 714541@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 714541@bugs.debian.org, 714543@bugs.debian.org
Subject: Possible regression introduced by the original patch
Date: Sat, 6 Jul 2013 17:45:49 +0200
Hi

Additional update: There seems to be a regression[1], so needs a
follow up patch[2].

 [1] https://bugs.ruby-lang.org/issues/8575
 [2] https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/41805

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8. (Sun, 07 Jul 2013 12:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Sun, 07 Jul 2013 12:45:04 GMT) Full text and rfc822 format available.

Message #21 received at 714541@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 714541@bugs.debian.org
Subject: Re: Bug#714541: ruby1.8: CVE-2013-4073: Hostname check bypassing vulnerability in SSL client
Date: Sun, 7 Jul 2013 14:42:30 +0200
[Message part 1 (text/plain, inline)]
Hi Ruby maintainers

Attached is also the proposed debdiff for ruby1.8 and CVE-2013-4073,
similar to #714543 (for ruby1.9.1).

Regards,
Salvatore
[ruby1.8_1.8.7.358-7.1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8. (Mon, 08 Jul 2013 16:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (Mon, 08 Jul 2013 16:39:08 GMT) Full text and rfc822 format available.

Message #26 received at 714541@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 714541@bugs.debian.org
Subject: ruby1.8: diff for NMU version 1.8.7.358-7.1
Date: Mon, 8 Jul 2013 18:37:18 +0200
[Message part 1 (text/plain, inline)]
tags 714541 + pending
thanks

Dear Ruby maintainers!

I've prepared an NMU for ruby1.8 (versioned as 1.8.7.358-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[ruby1.8-1.8.7.358-7.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 08 Jul 2013 16:39:11 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 10 Jul 2013 17:06:14 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Jul 2013 17:06:14 GMT) Full text and rfc822 format available.

Message #33 received at 714541-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 714541-close@bugs.debian.org
Subject: Bug#714541: fixed in ruby1.8 1.8.7.358-7.1
Date: Wed, 10 Jul 2013 17:04:17 +0000
Source: ruby1.8
Source-Version: 1.8.7.358-7.1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jul 2013 14:10:32 +0200
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libtcltk-ruby1.8 ruby1.8-examples ri1.8 ruby1.8-full
Architecture: source all amd64
Version: 1.8.7.358-7.1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-examples - Examples for Ruby 1.8
 ruby1.8-full - Ruby 1.8 full installation
Closes: 714541
Changes: 
 ruby1.8 (1.8.7.358-7.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2013-4073.patch patch.
     CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
     (Closes: #714541)
Checksums-Sha1: 
 78cad0e85896bac3c01087f435de4d492093966e 2536 ruby1.8_1.8.7.358-7.1.dsc
 6222e9b40a414a77349bd4ab301c65fde24d5770 59975 ruby1.8_1.8.7.358-7.1.debian.tar.gz
 869eff8e2a0a39d579df6ab6c0c2a55d7fef878f 344664 ruby1.8-examples_1.8.7.358-7.1_all.deb
 585ded63fdfe0b7b69c5b585ff8b4ab0e02b1054 1434598 ri1.8_1.8.7.358-7.1_all.deb
 80b9238fe98c8c7a6b3113cdd27a0505ce81e195 283886 ruby1.8-full_1.8.7.358-7.1_all.deb
 db955f7b07cb859f5be879fca49813c710430810 320022 ruby1.8_1.8.7.358-7.1_amd64.deb
 a26ec7d3da3fc398dba2125a24b631c733533167 2078510 libruby1.8_1.8.7.358-7.1_amd64.deb
 261481aa9b19e4c1ad0ea9ceb621f717232f8e11 1740644 libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
 b93868d1b938473cb1094f2e3124abc01acf7be2 910826 ruby1.8-dev_1.8.7.358-7.1_amd64.deb
 114be84c0c2b46d99ef71261643ef8ca57399188 2037396 libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb
Checksums-Sha256: 
 394fb976de86136b90c5e78d0a104221b98f2cd782dfd2ab9ac066241fb70e50 2536 ruby1.8_1.8.7.358-7.1.dsc
 8174505b449447149cc1917185f39472cc80156968a777b639353febf48727bb 59975 ruby1.8_1.8.7.358-7.1.debian.tar.gz
 e65cda729af36a31267b586e43a5da234e858ffe0cdb28da3e291217f41b6dcc 344664 ruby1.8-examples_1.8.7.358-7.1_all.deb
 c096f5cc14f5d67649932c2abd61202fe39db3041a2921fac7b7bb4af645c032 1434598 ri1.8_1.8.7.358-7.1_all.deb
 b007b7310f7dcdd3360fb787972d02235eb50fdb6b11e11ce291d6a2f723ac48 283886 ruby1.8-full_1.8.7.358-7.1_all.deb
 f820b4449b40aae83c91e960094c5650cd46cd5a360f7a192f295e8e1a2684d8 320022 ruby1.8_1.8.7.358-7.1_amd64.deb
 ec2fee345073e50edadc5733c233ab77e55ee2e3b8ea307c45fe2a118d3c91a2 2078510 libruby1.8_1.8.7.358-7.1_amd64.deb
 24882fd08837117d86b8563e6421548e53a1a3941c32440e025c6d68449d8d01 1740644 libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
 fae6bff49adfee2c668525889275082f31dd38a0062be336de3bb0a0dda962a0 910826 ruby1.8-dev_1.8.7.358-7.1_amd64.deb
 4d2509f8e6493078bba015b5b7774e510b08929fef6951623361d2f852e30e35 2037396 libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb
Files: 
 d0dfa4af9a87cb4b67208963388244ac 2536 ruby optional ruby1.8_1.8.7.358-7.1.dsc
 8deb889960f4f9009b126f0d922351e6 59975 ruby optional ruby1.8_1.8.7.358-7.1.debian.tar.gz
 03d9cd86af0feabd214dbd15cc511d1b 344664 ruby optional ruby1.8-examples_1.8.7.358-7.1_all.deb
 7ec5c580111e8ad95b8a0ab502d7aab2 1434598 ruby optional ri1.8_1.8.7.358-7.1_all.deb
 48a539688c8e74d3d0c38d164d5a730d 283886 ruby optional ruby1.8-full_1.8.7.358-7.1_all.deb
 a0f85e340374a4052465c136fc72ecfe 320022 ruby optional ruby1.8_1.8.7.358-7.1_amd64.deb
 8f79e63663589b69df9b3602f780c57c 2078510 libs optional libruby1.8_1.8.7.358-7.1_amd64.deb
 0cf506db2069e5d79f1faaaff7119c6c 1740644 debug extra libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
 3493b6f54de380e5c60556c66192c2d8 910826 ruby optional ruby1.8-dev_1.8.7.358-7.1_amd64.deb
 61f3ffafd5845056d3d0b679267a44cb 2037396 ruby optional libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJR2tBKAAoJEHidbwV/2GP+9J0P/i5WP+f7fIF02Pw/9jzEUTWC
2w3q5qrZUysOWAM9Lp120XNpzN8QRbASjR/Ie48VdD1rtBgm5p+87GzXjzKu8P8x
aKFeJhBGVWgucUzU1ysfDj4xAMwKhxphNyn61g89uG0sbYvRILw74HeBI8ZWLFR7
a2+5TfWEGBh8Be2f5FVEAkWZGQpqVTpkmUaxxAiJqndN7bQoMXIHB7dtv4EC6MMl
WRqjjbwWjqgXFQ4QCt3rEfa6zS6aC1OFHvkK2ZHYH5y9fvjGvTUIp/zvStnGiaom
dzEU2CZjSXZfajytCCaTIb+CQidEvXGg20sV9DiT2N0wOrjKZuWOzmCDDjwflmZF
BWYA5DFetU40ExeIFNzP/t9VizsB9oNeWP4Vlqdnw/53d/gU6VMqQqNyn8brlbVq
mTDIGlFxreGIA9aZv0Z1zbF/Yun3oH0wnZfV/Tpgz0EIeWQpSJt7oTA+//+l7hMZ
x+7zFr/ZHAOLAT73Y88bP+E92o1kNttUynSTE2+xseJEX16TiqUgD4qy43qPEwu3
J2tXNylqCEGoTNAH2aXIfW0Mza438ECveaNCr67vZUOkyuKFCsabr/8W6ME5gGZt
X4DCOTXiRl6sVRdVqpuCwD0fGDC8L/DrFxAeRUnzFjQvepFlUan04CQJU+xVt8+Z
YYcAzw3TS5aVmA2GMBu8
=fr6f
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Dec 2013 07:29:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:53:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.