Re: rubygems insecure download (and other problems)

[Donald Stufft <donald () stufft io>]

On Aug 14, 2013, at 4:59 PM, Kurt Seifried <kseifried () redhat com> wrote:

> Signed PGP part
> I don't think this is CVE worthy, but it is worth fixing and not
> putting everyone at such risk:
>
> https://bugzilla.novell.com/show_bug.cgi?id=834785
> https://bugzilla.redhat.com/show_bug.cgi?id=997179
>
> Problem #1:
> install /etc/gemrc to install gems via https rather than http
>
> everyone should be enabling HTTPS where possible, intercepting and
> modifying HTTP is trivial.
>
> Problem #2:
> it redirects to  production.cf.rubygems.org which is on cloudfront so
> has certificate mismatch, so either users have to accept insecurity,
> or... well there is no second choice =(.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org
>
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

pip has a CVE for downloading via HTTP, does switching the
gem to HTTPS actually make gem verify it?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail