Ruby OpenSSL hostname matching implementation violates RFC 6125. - Wildcard matching code allowed multiple wildcards (e.g. *.*.*) - Wildcards were mishandled for IDNA names (ala CVE-2014-1492) Upstream patch: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1209982]
Fixed upstream in Ruby versions: 2.0.0p645, 2.1.6, and 2.2.2 Upstream bug report: https://bugs.ruby-lang.org/issues/9644 Upstream commit in ruby SVN: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=50292 External References: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
(In reply to Vasyl Kaigorodov from comment #0) > - Wildcard matching code allowed multiple wildcards (e.g. *.*.*) This issue can only be exploited when trusted CA issues a certificated with multiple wildcards, which is unlikely / uncommon. > - Wildcards were mishandled for IDNA names (ala CVE-2014-1492) This problem is not considered as needing CVE, see: http://seclists.org/oss-sec/2015/q2/523
Statement: This issue affects the versions of Ruby as shipped with Red Hat Enterprise Linux 5, 6, and 7, and Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future updates may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.