Ruby 1.8.6-p111 / 1.8.5-p114 released (Security Fix)

U

Urabe Shyouhei

Hi all.

A problem on the net/https library was reported. We already fixed that
on the repository, but we also think it worth releasing. Here they are.
The only difference with the latest 1.8.6-p110 / 1.8.5-p113 is the
inclusion of fixes to it.

Detailed information should be found at the original advisory:
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.zip
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p114.tar.bz2
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p114.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p114.zip


And checksums:

MD5(ruby-1.8.6-p111.tar.bz2)= e1d38b7d4f1be55726d6927a3395ce3b
SHA256(ruby-1.8.6-p111.tar.bz2)= 85c694678313818a5083bcfd66ae389fc053b506d93b5ad46f3764981c120fbb
SIZE(ruby-1.8.6-p111.tar.bz2)= 3919396

MD5(ruby-1.8.6-p111.tar.gz)= c36e011733a3a3be6f43ba27b7cd7485
SHA256(ruby-1.8.6-p111.tar.gz)= 5edafdce60b28aecff1a10c892192b27f42ebdf4871018e86fc473366cc7dea6
SIZE(ruby-1.8.6-p111.tar.gz)= 4547579

MD5(ruby-1.8.6-p111.zip)= 949974534a5ed3bc30adce6d4f8860e4
SHA256(ruby-1.8.6-p111.zip)= 1f61fe2625dde0e8be196c81247fbee2ecae2158939f21e233f0c2c5476ec4cb
SIZE(ruby-1.8.6-p111.zip)= 5563270

MD5(ruby-1.8.5-p114.tar.bz2)= d57f9762b3b34a9e4835085b4c5acc59
SHA256(ruby-1.8.5-p114.tar.bz2)= c503ae8eb47db72f78fb7a79fe1874ffef40a7094f7e803bacbf994a924244d9
SIZE(ruby-1.8.5-p114.tar.bz2)= 3862713

MD5(ruby-1.8.5-p114.tar.gz)= 407204b3868991047b5c956aaebc4232
SHA256(ruby-1.8.5-p114.tar.gz)= fea4f92e01b7e507a7485392255830afae0e60a8b5c1bec6eb8751078808a79a
SIZE(ruby-1.8.5-p114.tar.gz)= 4484868

MD5(ruby-1.8.5-p114.zip)= 4a0e1810a19e25c6d91d538a8f0ecc60
SHA256(ruby-1.8.5-p114.zip)= 2c9bd43b310c164e9dfd529049dd67b1490e9ac5aca468bb4c296cd6d97d55ba
SIZE(ruby-1.8.5-p114.zip)= 5493270
 
N

NAKAMURA, Hiroshi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Urabe said:
A problem on the net/https library was reported. We already fixed that
on the repository, but we also think it worth releasing. Here they are.
The only difference with the latest 1.8.6-p110 / 1.8.5-p113 is the
inclusion of fixes to it.

Detailed information should be found at the original advisory:
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
Click to expand...

It's not related to ruby but the report above should have a reference to
RFC2818 3.1. Server Identity.

RFC2818 said:

Automated
clients MUST log the error to an appropriate audit log (if available)
and SHOULD terminate the connection (with a bad certificate error).

So net/http.rb versions on 1.8.6 and 1.8.5 SHOULD have
@enable_post_connection_check = true
as well as a trunk version. I recommend turning it on as soon as
possible although it's your business, syouhei. Balance security and
compatibility.

For users: the problem affects if;
1. code of your program or one of depending libraries is using
net/https for SSL connection, plus,
2. the code sets http.verify_mode to OpenSSL::SSL::VERIFY_PEER
explicitly (VERIFY_NONE, which means no security, by default), plus,
3. the code sets http.ca_file properly.

open-uri.rb is not affected on this because it does check server
identity though it does 2 and 3. imap.rb, smtp.rb, pop.rb, drb/ssl.rb
will be fixed soon.

Regards,
// NaHi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)

iQEVAwUBRwTrbB9L2jg5EEGlAQKrvggAwsB0AwpTuL0enc9UtUhLBhvKDIUwr6eu
L5kAKxYn2CXH/r9AJY8F/fHT2jUeciIsnorkDwUIx+sHib2X2lo0XUWCqflusijb
h1g7rSVVBlKEX3wvfgugWkbZjd17dFj3Z12D+oLxZHi2La0dwJdFe8UgQ1+POf6l
iODrWKshN8d4olf9v++4LE49kUEnt/OGXMNMLENvwV3HnBGO8qtD/S85hjjIGZnV
8JerSBziCffJGglE7+xozElfs23HZW4gBjoLCVanK0slEHzO0GmY94P6DGLO4VhW
YCPP7M+1Nq+3fJPSXlT56SkcqyfWIcABpEKM+puUPD7dotFwqt8VXw==
=nu+h
-----END PGP SIGNATURE-----
 
M

Michal Suchanek

BTW

The checksum is not mentioned on the Japanese download page. I guess I
would notice a piece of Latin text on a Japanese page quite easily.

The release is not mentioned on the English download page at all.

The download pages do not mention the .bz2 version of the archive.

Thanks

Michal
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Ruby 1.8.6-p114 / 1.8.5-p115 released (Security Fix) 1
Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix) 82
Ruby 1.8.5-p113 released. 0
Ruby 1.8.7-p72 / 1.8.6-p287 released (Security Fix) 1
Security -- Ruby 1.8.6 pl388 released 1
Ruby 1.8.7-p71 / 1.8.6-p286 released (Security Fix) 12
Ruby 1.8.5-p52 released 0
Ruby 1.8.6-p110 released. 3

Members online

Total: 30 (members: 1, guests: 29)
Robots: 399

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,020
Latest member
GenesisGai

Latest Threads

Top