oss-sec mailing list archives

CVE Request -- rubygems: Two security fixes in upstream v1.8.23 version

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 20 Apr 2012 17:01:06 +0200

Hello Kurt, Steve, Eric, Evan, vendors,

  two security fixes has been recently corrected in upstream rubygems-v1.8.23 version:
  #1 RubyGems now disallows redirection from HTTPS to HTTP.
  #2 RubyGems now verifies SSL connections.

References:
[1] https://github.com/rubygems/rubygems/blob/1.8/History.txt (rubygems History.txt)
[2] https://github.com/rubygems/rubygems/commit/d4c7eafb8efe1e13a7abf5be5a5b4548870b15b7
    (relevant rubygems git commit)
[3] http://www.ruby-lang.org/en/news/2012/04/20/ruby-1-9-3-p194-is-released/
    (Ruby v1.9.3-p194 version announcement)
[4] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&sortby=date&revision=35404
    (Ruby language SVN repository commit)
[5] https://bugzilla.redhat.com/show_bug.cgi?id=814718
    (Red Hat bugzilla entry)

Both of [2] and [4] patches include fixes for both issues. For the case #2
the security implications are clear.

Kurt, could you allocate two CVE ids for these issues?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- rubygems: Two security fixes in upstream v1.8.23 version Jan Lieskovsky (Apr 20)
- Re: CVE Request -- rubygems: Two security fixes in upstream v1.8.23 version Kurt Seifried (Apr 20)