-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:029 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ruby Date : January 31, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Ruby network libraries Net::HTTP, Net::IMAP, Net::FTPTLS, Net::Telnet, Net::POP3, and Net::SMTP, up to Ruby version 1.8.6 are affected by a possible man-in-the-middle attack, when using SSL, due to a missing check of the CN (common name) attribute in SSL certificates against the server's hostname. The updated packages have been patched to prevent the issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 7d6503b580cadab905ac3ef4fde32495 2007.0/i586/ruby-1.8.5-2.3mdv2007.0.i586.rpm 03f626e55f2da3d50e4af6a625f2d981 2007.0/i586/ruby-devel-1.8.5-2.3mdv2007.0.i586.rpm a286449f58ebbb35ef96b104e8148394 2007.0/i586/ruby-doc-1.8.5-2.3mdv2007.0.i586.rpm 8124af6a429b10089ef3671f36285f81 2007.0/i586/ruby-tk-1.8.5-2.3mdv2007.0.i586.rpm c542b49863e6407a3563e4bcf9207fbc 2007.0/SRPMS/ruby-1.8.5-2.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 1488eb95c352a23961ad3729108aab31 2007.0/x86_64/ruby-1.8.5-2.3mdv2007.0.x86_64.rpm 729771da6e301b5c7b5754f95c85e478 2007.0/x86_64/ruby-devel-1.8.5-2.3mdv2007.0.x86_64.rpm 69827a0c924ffd3da5e084ea04e36fef 2007.0/x86_64/ruby-doc-1.8.5-2.3mdv2007.0.x86_64.rpm cb12889526c54ed686c327c137f1320c 2007.0/x86_64/ruby-tk-1.8.5-2.3mdv2007.0.x86_64.rpm c542b49863e6407a3563e4bcf9207fbc 2007.0/SRPMS/ruby-1.8.5-2.3mdv2007.0.src.rpm Mandriva Linux 2007.1: 615468da1639248f8c60d7a8ef575d1b 2007.1/i586/ruby-1.8.5-5.1mdv2007.1.i586.rpm cda9083dd1e1df7c4a49db1e0ec20008 2007.1/i586/ruby-devel-1.8.5-5.1mdv2007.1.i586.rpm 0268152c83d14133ac35cc7ee52cf60a 2007.1/i586/ruby-doc-1.8.5-5.1mdv2007.1.i586.rpm c1c580dfddc099a2af9c61b33b9f0a2f 2007.1/i586/ruby-tk-1.8.5-5.1mdv2007.1.i586.rpm 3d221074342e5f457373ab1aff977a96 2007.1/SRPMS/ruby-1.8.5-5.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 89de1e6816cc708d5401200405be508f 2007.1/x86_64/ruby-1.8.5-5.1mdv2007.1.x86_64.rpm 4e0003bc558584d6f95716d8818388ce 2007.1/x86_64/ruby-devel-1.8.5-5.1mdv2007.1.x86_64.rpm 87a5495beeb8138292aab40ce099b07b 2007.1/x86_64/ruby-doc-1.8.5-5.1mdv2007.1.x86_64.rpm 128ce81eeb4168cb915696f76d15c448 2007.1/x86_64/ruby-tk-1.8.5-5.1mdv2007.1.x86_64.rpm 3d221074342e5f457373ab1aff977a96 2007.1/SRPMS/ruby-1.8.5-5.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 279f855dd2f179827968d9c9a6ee60ee 2008.0/i586/ruby-1.8.6-5.1mdv2008.0.i586.rpm 454911b3e84a0de35e9905eadeba6852 2008.0/i586/ruby-devel-1.8.6-5.1mdv2008.0.i586.rpm 0bdf3776e48c584eb05db2d96675957b 2008.0/i586/ruby-doc-1.8.6-5.1mdv2008.0.i586.rpm 7a857b992180398881e396cb802d0274 2008.0/i586/ruby-tk-1.8.6-5.1mdv2008.0.i586.rpm c5f286aee44c6d309fd12248d68856dc 2008.0/SRPMS/ruby-1.8.6-5.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 05e24b17c69c26e10cf48c4f83c095f9 2008.0/x86_64/ruby-1.8.6-5.1mdv2008.0.x86_64.rpm c7bb81a0ef557c621016a8c5468d9022 2008.0/x86_64/ruby-devel-1.8.6-5.1mdv2008.0.x86_64.rpm e550ae1cb99aa67711acb5d6c6af64ac 2008.0/x86_64/ruby-doc-1.8.6-5.1mdv2008.0.x86_64.rpm a8981603df024791c9e1d273717ce5f9 2008.0/x86_64/ruby-tk-1.8.6-5.1mdv2008.0.x86_64.rpm c5f286aee44c6d309fd12248d68856dc 2008.0/SRPMS/ruby-1.8.6-5.1mdv2008.0.src.rpm Corporate 3.0: bd239b9b3ed6a8fd456f42a399bc79f8 corporate/3.0/i586/ruby-1.8.1-1.9.C30mdk.i586.rpm 585ed391895ecc23a09ea55ed7bc0a8c corporate/3.0/i586/ruby-devel-1.8.1-1.9.C30mdk.i586.rpm c5d6ef08a414db182d937426c6aeecd3 corporate/3.0/i586/ruby-doc-1.8.1-1.9.C30mdk.i586.rpm c87e858fede1106544bb925d594f1964 corporate/3.0/i586/ruby-tk-1.8.1-1.9.C30mdk.i586.rpm b53c77b5e98f20209db9b932b8a4734d corporate/3.0/SRPMS/ruby-1.8.1-1.9.C30mdk.src.rpm Corporate 3.0/X86_64: 6487b1d817b08f91074961f6c42a136a corporate/3.0/x86_64/ruby-1.8.1-1.9.C30mdk.x86_64.rpm 0277376e6ef0897fd024b5e9ec9a8a06 corporate/3.0/x86_64/ruby-devel-1.8.1-1.9.C30mdk.x86_64.rpm 6ee5839e1af2c82da8ef604f83601e21 corporate/3.0/x86_64/ruby-doc-1.8.1-1.9.C30mdk.x86_64.rpm 89ecdfcd225bc24a1437e0f09e513ba9 corporate/3.0/x86_64/ruby-tk-1.8.1-1.9.C30mdk.x86_64.rpm b53c77b5e98f20209db9b932b8a4734d corporate/3.0/SRPMS/ruby-1.8.1-1.9.C30mdk.src.rpm Corporate 4.0: 311e14d160453952e4cc0e91599185d3 corporate/4.0/i586/ruby-1.8.2-7.6.20060mlcs4.i586.rpm 3857b0d6eff2a26f606aa2701819a470 corporate/4.0/i586/ruby-devel-1.8.2-7.6.20060mlcs4.i586.rpm 9f845778ef2cfc4089a787f8f971fba6 corporate/4.0/i586/ruby-doc-1.8.2-7.6.20060mlcs4.i586.rpm f4712a52ee18d33bd17f19c5ee5b83ae corporate/4.0/i586/ruby-tk-1.8.2-7.6.20060mlcs4.i586.rpm b0fbb9a741865d6a378336797b72a971 corporate/4.0/SRPMS/ruby-1.8.2-7.6.20060mlcs4.src.rpm Corporate 4.0/X86_64: 6ecf49a09a4ab595cd6ff04912a5370a corporate/4.0/x86_64/ruby-1.8.2-7.6.20060mlcs4.x86_64.rpm 821ad33b361e6c5918f530b6778b3cbe corporate/4.0/x86_64/ruby-devel-1.8.2-7.6.20060mlcs4.x86_64.rpm 1b2bbb2e933e7a2d16d997de3989e8dd corporate/4.0/x86_64/ruby-doc-1.8.2-7.6.20060mlcs4.x86_64.rpm e2837b0b88730df0bc25474bcd47e7df corporate/4.0/x86_64/ruby-tk-1.8.2-7.6.20060mlcs4.x86_64.rpm b0fbb9a741865d6a378336797b72a971 corporate/4.0/SRPMS/ruby-1.8.2-7.6.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFHoVEDmqjQ0CJFipgRApWRAKCpvtRx3iwu7kfBHy0oa1SEEr8/OACfbk5V GOLYVR7cWoNtorl6m1S9p28= =QfTa -----END PGP SIGNATURE-----