ruby-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Urabe Shyouhei wrote:
> A problem on the net/https library was reported. We already fixed that
> on the repository, but we also think it worth releasing. Here they are.
> The only difference with the latest 1.8.6-p110 / 1.8.5-p113 is the
> inclusion of fixes to it.
> 
> Detailed information should be found at the original advisory:
> http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

It's not related to ruby but the report above should have a reference to
RFC2818 3.1. Server Identity.

RFC2818 said:

   Automated
   clients MUST log the error to an appropriate audit log (if available)
   and SHOULD terminate the connection (with a bad certificate error).

So net/http.rb versions on 1.8.6 and 1.8.5 SHOULD have
  @enable_post_connection_check = true
as well as a trunk version.  I recommend turning it on as soon as
possible although it's your business, syouhei.  Balance security and
compatibility.

For users: the problem affects if;
 1. code of your program or one of depending libraries is using
    net/https for SSL connection, plus,
 2. the code sets http.verify_mode to OpenSSL::SSL::VERIFY_PEER
    explicitly (VERIFY_NONE, which means no security, by default), plus,
 3. the code sets http.ca_file properly.

open-uri.rb is not affected on this because it does check server
identity though it does 2 and 3.  imap.rb, smtp.rb, pop.rb, drb/ssl.rb
will be fixed soon.

Regards,
// NaHi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)

iQEVAwUBRwTrbB9L2jg5EEGlAQKrvggAwsB0AwpTuL0enc9UtUhLBhvKDIUwr6eu
L5kAKxYn2CXH/r9AJY8F/fHT2jUeciIsnorkDwUIx+sHib2X2lo0XUWCqflusijb
h1g7rSVVBlKEX3wvfgugWkbZjd17dFj3Z12D+oLxZHi2La0dwJdFe8UgQ1+POf6l
iODrWKshN8d4olf9v++4LE49kUEnt/OGXMNMLENvwV3HnBGO8qtD/S85hjjIGZnV
8JerSBziCffJGglE7+xozElfs23HZW4gBjoLCVanK0slEHzO0GmY94P6DGLO4VhW
YCPP7M+1Nq+3fJPSXlT56SkcqyfWIcABpEKM+puUPD7dotFwqt8VXw==
=nu+h
-----END PGP SIGNATURE-----

Thread

Prev Next

In This Thread

Prev Next

[#44064] [ANN] Ruby クックブック読書会第一回 — cuzic <cuzic@...>

[#44065] Patrick Lenz氏のRails本がPDFで無償ダウンロード — "徳島学" <manabu.tokushima@...>

[#44066] Ruby 1.8.6-p111 / 1.8.5-p114 released (Security Fix) — Urabe Shyouhei <shyouhei@...>

[#44069] やってもーた！ — Shin-ichiro HARA <sinara@...>

[#44072] Windows で Ruby-GNOME — Five point Five <5.5@...>

[#44082] Regexp.union([pattern, ...]) に騙されました — しん <dezawa@...>

[#44088] Mac os xでのruby/sdlで画像読み込みエラー — wataru <xezoon@...>

[#44090] Windowsアプリにrubyを組み込んだときのエラーメッセージ — "湊大典" <minato.daisuke@...>

[#44093] Rails勉強会@東北第5回のお知らせ — 片平 裕市 <yuichi_katahira@...>

[#44094] XREAのCORESERVERへRuby on Railsをインストール — Michael <michael@...>

[#44096] [ANN] Rails勉強会@東京 第23回のお知らせ — "MOROHASHI Kyosuke" <moronatural@...>

[#44099] [PATCH] rexml/source.rb の小さなバグ — Kobayashi Noritada <nori1@...>

[#44100] [ANN] ulmul.rb: RD-like text file to xhtml file converter (with MathML and Slidy) — NISHIMATSU Takeshi <t_nissie@...>

[#44102] [ANN]10/19(金)まつもとさんセミナー(無料)のご案内@東京三鷹市 — sakaki <sakaki@...>

[#44112] String#uptoについて — Kunimi Ikeda <kunimi.ikeda@...>

[#44115] Windows上でのShift JIS範囲外のファイル名の扱いについて — 真田 <jecy00@...>

[#44118] freeze と TypeError — "Hajime Hoshi" <hajimehoshi@...>

[#44121] 【ご案内】勉強会(Ruby資格認定試験の応援イベント) — Hiroshi Inoue <ml@...>

[#44122] 組み込みrubyでのsystemのバグ？ — "湊大典" <minato.daisuke@...>

[#44125] ruby-tk with tcltk8.5b1 — Ryutaro Amano <wn9r-amn@...>

[#44139] [再]Rails勉強会@東北第5回のお知らせ — 片平 裕市 <yuichi_katahira@...>

[#44145] [ANN] Ruby Sapporo Night vol.3 — "SHIMADA Koji" <snoozer.05@...>

[#44147] 2個づつの組を作る方法のすべて — "142QN4969@..." <ohrs@...>

[#44156] まつもとさんのAsianux Road Show in Tokyoでの講演 — Hiro Yoshioka <hyoshiok@...>

[#44161] Ruby公式ロゴコンテスト結果発表 — Yukihiro Matsumoto <matz@...>

[#44162] [ANN] Ruby勉強会＠札幌第6回（運営：Ruby 札幌） — "SHIMADA Koji" <snoozer.05@...>

[#44166] rubyでお勧めのGUIプログラミング方法は？ — Kazuhiro OHTANI <kotani@...>

[ruby-list:44070] Re: Ruby 1.8.6-p111 / 1.8.5-p114 released (Security Fix)

Thread

In This Thread

[#44093] Rails勉強会@東北第5回のお知らせ — 片平裕市 <yuichi_katahira@...>

[#44096] [ANN] Rails勉強会@東京第23回のお知らせ — "MOROHASHI Kyosuke" <moronatural@...>

[#44139] [再]Rails勉強会@東北第5回のお知らせ — 片平裕市 <yuichi_katahira@...>