Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0642 to the following vulnerability: ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0642 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528 http://redmine.ruby-lang.org/issues/show/1091 http://www.securityfocus.com/bid/33769 http://xforce.iss.net/xforce/xfdb/48761 Patch: http://redmine.ruby-lang.org/attachments/download/241
This issue does NOT affect the versions of the Ruby package, as shipped with Red Hat Enteprise Linux 2.1 and 3. This issue affects the versions of the Ruby package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the Ruby package, as shipped with Fedora releases of 9, 10 and devel.
Can you file a bug for each releases? or we don't need it anymore?
Upstream SVN commit: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22440
Fixed in 1.8.6-p368 in F-10, F-11 and devel.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1140 https://rhn.redhat.com/errata/RHSA-2009-1140.html