oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

rubygems insecure download (and other problems)

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 14 Aug 2013 14:59:12 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think this is CVE worthy, but it is worth fixing and not
putting everyone at such risk:

https://bugzilla.novell.com/show_bug.cgi?id=834785
https://bugzilla.redhat.com/show_bug.cgi?id=997179

Problem #1:
install /etc/gemrc to install gems via https rather than http

everyone should be enabling HTTPS where possible, intercepting and
modifying HTTP is trivial.

Problem #2:
it redirects to  production.cf.rubygems.org which is on cloudfront so
has certificate mismatch, so either users have to accept insecurity,
or... well there is no second choice =(.

https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSC++gAAoJEBYNRVNeJnmTb44P/243B7aF7hZCx23I3WnIP/in
hQElGjUzTvzJIbPo4krhupYnZMxFNRyHC+YcrZeKeZvgwF0px2B/iK4T/4rB1MXU
Hii6cgXWS9t9ULgPQtEYcvGIweV9oqU11W2ESCDqkddmzSclVOWTCvdNnUkFO+sd
v4U5KsVt+1kNgeVcE17gy5vBmaiuKquvSM2xpZJAXx6ryTquTsq7IUfSG/ilOwY9
CeCUBJAQyUfKomcGOuDUiY0Ta7deZP3/QjN0N2kQSHG78P21Eary4TqKLi9N10ii
PQ+3G61h8FLBgyrT9THSWWEJHnQhJBx2/dg4WNmUuvwNIvI5un0Bwpr236/87Nkg
nTnhUOxiMrbHS1/yJ6MJe+SnULDGw8o66YJNYeSTsoyN/HSPMXRiqJuhJAMV1mkf
y8sCc2SQednAOoRkPHamEU1zfMG5e+lM5NDJBVrGSpT2Q/2M9dcD11/mXSaYY3qO
kAOaFzwYt3/RNoXzgWfuP84brMDz66scWmKXUMuntMnuwcf1/2tGqaaZ4b16H6u1
kPTrreciqYr/tGgwr0rmTCw3Ejmi18CMWfTEOipdtwQkTuY/4gSggBspLBC/Q2tJ
hUqdMvz343MvnfLtQnFnP19FyQPQMpn4CNuFs9oOVNPJ6nzrnPc1c+kQrSRX/OYe
NEs9EM69KFXdxcXcg6c9
=PZMb
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: