Bug 362081 (CVE-2007-5770)

Summary: CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: isenfeld, tagoh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-16 16:50:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 320331, 320341, 320371, 320381, 373371, 373381, 373391, 373401    
Bug Blocks:    

Description Tomas Hoger 2007-11-01 16:36:35 UTC 
A flaw was discovered in a way various ruby net::* modules verify commonName
(CN) attribute of SSL certificate provided by server against requested hostname,
which makes it easier for remote attackers to intercept SSL transmissions via a
man-in-the-middle attack or spoofed site.

Issue was originally reported for net::http(s) module and was assigned CVE id
CVE-2007-5162.  However, similar issue also affects other modules: net::ftptls,
net::telnets, net::imap and CVS versions of net::pop and net::smtp.

Upstream SVN commit:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
Comment 4 Red Hat Product Security 2008-01-16 16:50:43 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0965.html
  http://rhn.redhat.com/errata/RHSA-2007-0961.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2685
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-2812