Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5162 to the following vulnerability: The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. References: http://www.isecpartners.com/advisories/2007-006-rubyssl.txt http://www.securityfocus.com/bid/25847 http://www.securityfocus.com/archive/1/480987 Patch applied to trunk: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499 (original advisory links to other commits in other svn branches)
This issue does not affect ruby packages as shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not provide SSL support for Net::HTTP class.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0965.html http://rhn.redhat.com/errata/RHSA-2007-0961.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2406