Bug 1058595 – CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1058595 - (CVE-2014-0036) CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client

Summary:	CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client

Status:	CLOSED CURRENTRELEASE

Aliases:	CVE-2014-0036

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140305,repor...
Keywords:	Security

Depends On:	1066819 1073189 1073190
Blocks:	1058596
	Show dependency tree / graph

Reported:	2014-01-28 01:11 EST by Garth Mollett
Modified:	2015-07-31 08:08 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-07-15 03:33:30 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
a patch that fixes the issue. (13.79 KB, patch) 2014-02-24 10:22 EST, Amos Benari	no flags	Details \| Diff
always verify peer certificate on https (14.13 KB, patch) 2014-03-02 07:51 EST, Amos Benari	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Garth Mollett 2014-01-28 01:11:30 EST

Michael Samuel of Amcom reported that the rbovirt rubygem makes unsafe usage of the rest-client gem.
HTTPS requests are sent with SSL verification disabled which could make applications making use of rbovirt vulnerable to MITM attacks.

Comment 1 Garth Mollett 2014-02-19 02:23:21 EST

Acknowledgements:

Red Hat would like to thank Michael Samuel of Amcom for reporting this issue.

Comment 3 Amos Benari 2014-02-24 10:22:41 EST

Created attachment 866995 [details]
a patch that fixes the issue.

Comment 4 Amos Benari 2014-03-02 07:51:14 EST

Created attachment 869621 [details]
always verify peer certificate on https

Comment 5 Garth Mollett 2014-03-05 20:24:56 EST

Created rubygem-rbovirt tracking bugs for this issue:

Affects: fedora-all [bug 1073189]
Affects: epel-6 [bug 1073190]

Comment 6 Fedora Update System 2014-03-15 11:18:00 EDT

rubygem-rbovirt-0.0.18-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-03-15 11:23:28 EDT

rubygem-rbovirt-0.0.18-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-03-21 18:32:39 EDT

rubygem-rbovirt-0.0.6-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.