- ------------------------------------------------------------------------Debian Security Advisory DSA-1411-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
November 24, 2007                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------Package        : libopenssl-ruby
Vulnerability  : programming error
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2007-5162 CVE-2007-5770

Several vulnerabilities have been discovered in Ruby, an object-oriented
scripting language. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-5162

    It was discovered that the Ruby HTTP(S) module performs insufficient
    validation of SSL certificates, which may lead to man-in-the-middle
    attacks.

CVE-2007-5770

    It was discovered that the Ruby modules for FTP, Telnet, IMAP, POP
    and SMTP perform insufficient validation of SSL certificates, which
    may lead to man-in-the-middle attacks.

The stable distribution (etch) no longer contains libopenssl-ruby.

For the old stable distribution (sarge), these problems have been fixed
in version 0.1.4a-1sarge1. Packages for sparc will be provided later.

We recommend that you upgrade your libopenssl-ruby packages.

Upgrade instructions
- --------------------wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     4416 25ee3170c96536d66cd8640474bebf85
      Size/MD5 checksum:    84122 303d0473fdb1480a0936a5661d8ba8e3
      Size/MD5 checksum:      654 b1f510c66bbb4af526741c8d5911ffba

alpha architecture (DEC Alpha)

      Size/MD5 checksum:    99566 17d715cd50ba41f6c139844de72b50a0

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:    97832 3a57407b743683544483941f8739f276

arm architecture (ARM)

      Size/MD5 checksum:    90504 80218918d52c9063de2679a0ef308350

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   102480 5b217e95e5acd0b41ef69f0fa373ed73

i386 architecture (Intel ia32)

      Size/MD5 checksum:    93628 6dd15a1fb32a3792811a7955083d835e

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   112496 8dd845a285ba4c46aa148d5e03e142cd

m68k architecture (Motorola Mc680x0)

      Size/MD5 checksum:    94740 25df2cf97eb03a8f1a53c447cfdc7e73

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:    83622 0637caea582cefd6994e9c1bfd105464

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:    82978 a717ab31fb14a34d75c7209ba3ad0bda

powerpc architecture (PowerPC)

      Size/MD5 checksum:    91528 317a63aba89b5255f4bb8f2a3031d563

s390 architecture (IBM S/390)

      Size/MD5 checksum:    99954 578551946138e9b1cf38ff65dea29b53


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Debian: New libopenssl-ruby packages fix insecure SSL

November 25, 2007
It was discovered that the Ruby HTTP(S) module performs insufficient validation of SSL certificates, which may lead to man-in-the-middle attacks.

Summary


It was discovered that the Ruby HTTP(S) module performs insufficient
validation of SSL certificates, which may lead to man-in-the-middle
attacks.

CVE-2007-5770

It was discovered that the Ruby modules for FTP, Telnet, IMAP, POP
and SMTP perform insufficient validation of SSL certificates, which
may lead to man-in-the-middle attacks.

The stable distribution (etch) no longer contains libopenssl-ruby.

For the old stable distribution (sarge), these problems have been fixed
in version 0.1.4a-1sarge1. Packages for sparc will be provided later.

We recommend that you upgrade your libopenssl-ruby packages.

Upgrade instructions
- --------------------wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 4416 25ee3170c96536d66cd8640474bebf85
Size/MD5 checksum: 84122 303d0473fdb1480a0936a5661d8ba8e3
Size/MD5 checksum: 654 b1f510c66bbb4af526741c8d5911ffba

alpha architecture (DEC Alpha)

Size/MD5 checksum: 99566 17d715cd50ba41f6c139844de72b50a0

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 97832 3a57407b743683544483941f8739f276

arm architecture (ARM)

Size/MD5 checksum: 90504 80218918d52c9063de2679a0ef308350

hppa architecture (HP PA RISC)

Size/MD5 checksum: 102480 5b217e95e5acd0b41ef69f0fa373ed73

i386 architecture (Intel ia32)

Size/MD5 checksum: 93628 6dd15a1fb32a3792811a7955083d835e

ia64 architecture (Intel ia64)

Size/MD5 checksum: 112496 8dd845a285ba4c46aa148d5e03e142cd

m68k architecture (Motorola Mc680x0)

Size/MD5 checksum: 94740 25df2cf97eb03a8f1a53c447cfdc7e73

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 83622 0637caea582cefd6994e9c1bfd105464

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 82978 a717ab31fb14a34d75c7209ba3ad0bda

powerpc architecture (PowerPC)

Size/MD5 checksum: 91528 317a63aba89b5255f4bb8f2a3031d563

s390 architecture (IBM S/390)

Size/MD5 checksum: 99954 578551946138e9b1cf38ff65dea29b53


These files will probably be moved into the stable distribution on
its next update.

For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Severity

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved