1
PublicDateAtUSN: 2013-06-28
2
Candidate: CVE-2013-4073
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073
6
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
7
https://usn.ubuntu.com/usn/usn-1902-1
9
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb
10
in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before
11
2.0.0-p247 does not properly handle a '\0' character in a domain name in
12
the Subject Alternative Name field of an X.509 certificate, which allows
13
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
14
certificate issued by a legitimate Certification Authority, a related issue
18
mdeslaur> possible regression: https://bugs.ruby-lang.org/issues/8575
20
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4073
21
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714541 (1.8)
22
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714543 (1.9)
24
Discovered-by: William (B.J.) Snow Orvis
28
upstream: https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f (1.8.7)
29
upstream: https://github.com/ruby/ruby/commit/a3a62f87e144be31b9ca8ad6415b207f43f4e126 (regression - trunk)
30
upstream_ruby1.8: released (1.8.7 patchlevel 374)
31
lucid_ruby1.8: ignored (reached end-of-life)
32
precise_ruby1.8: released (1.8.7.352-2ubuntu1.3)
33
quantal_ruby1.8: released (1.8.7.358-4ubuntu0.3)
34
raring_ruby1.8: released (1.8.7.358-7ubuntu1.1)
35
devel_ruby1.8: released (1.8.7.358-7ubuntu2)
38
upstream: https://github.com/ruby/ruby/commit/2669b84d407ab431e965145c827db66c91158f89 (1.9.3)
39
upstream: https://github.com/ruby/ruby/commit/a3a62f87e144be31b9ca8ad6415b207f43f4e126 (regression - trunk)
40
upstream_ruby1.9.1: released (1.9.3 patchlevel 448)
41
lucid_ruby1.9.1: ignored (reached end-of-life)
42
precise_ruby1.9.1: released (1.9.3.0-1ubuntu2.7)
43
quantal_ruby1.9.1: released (1.9.3.194-1ubuntu1.5)
44
raring_ruby1.9.1: released (1.9.3.194-8.1ubuntu1.1)
45
devel_ruby1.9.1: released (1.9.3.194-8.1ubuntu2)