It was discovered that the Ruby OpenSSL extension was overly permissive when verifying host names against X.509 certificate names with wildcards. This could cause Ruby TLS/SSL clients to accept certain certificates as valid, which is a violation of the RFC 6125 recommendations.
Ruby OpenSSL hostname matching implementation violates RFC 6125.
- Wildcard matching code allowed multiple wildcards (e.g. *.*.*)
- Wildcards were mishandled for IDNA names (ala CVE-2014-1492)
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1209982]
Fixed upstream in Ruby versions: 2.0.0p645, 2.1.6, and 2.2.2
Upstream bug report:
Upstream commit in ruby SVN:
(In reply to Vasyl Kaigorodov from comment #0)
> - Wildcard matching code allowed multiple wildcards (e.g. *.*.*)
This issue can only be exploited when trusted CA issues a certificated with multiple wildcards, which is unlikely / uncommon.
> - Wildcards were mishandled for IDNA names (ala CVE-2014-1492)
This problem is not considered as needing CVE, see:
This issue affects the versions of Ruby as shipped with Red Hat Enterprise Linux 5, 6, and 7, and Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future updates may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.