A flaw was discovered in a way various ruby net::* modules verify commonName (CN) attribute of SSL certificate provided by server against requested hostname, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed site. Issue was originally reported for net::http(s) module and was assigned CVE id CVE-2007-5162. However, similar issue also affects other modules: net::ftptls, net::telnets, net::imap and CVS versions of net::pop and net::smtp. Upstream SVN commit: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0965.html http://rhn.redhat.com/errata/RHSA-2007-0961.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2685 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-2812