Red Hat Bugzilla – Bug 313691
CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate
Last modified: 2011-10-26 07:47:38 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5162 to the following vulnerability:
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS
libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN)
field in a server certificate matches the domain name in an HTTPS request,
which makes it easier for remote attackers to intercept SSL transmissions via a
man-in-the-middle attack or spoofed web site.
Patch applied to trunk:
(original advisory links to other commits in other svn branches)
This issue does not affect ruby packages as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not provide SSL support for Net::HTTP class.
This issue was addressed in:
Red Hat Enterprise Linux: