漏洞信息详情
Ruby Net::HTTP库不安全验证服务器证书CN漏洞
- CNNVD编号:CNNVD-200710-022
- 危害等级: 中危
![图片[1]-Ruby Net::HTTP库不安全验证服务器证书CN漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-09-08/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2007-5162
- 漏洞类型:
授权问题
- 发布时间:
2007-09-28
- 威胁类型:
远程
- 更新时间:
2007-10-02
- 厂 商:
ruby-lang - 漏洞来源:
Chris Clark※ cclar… -
漏洞简介
Ruby是一种功能强大的面向对象的脚本语言。
Ruby的Net::HTTPS库的实现上存在漏洞,攻击者可能利用此漏洞获取会话中的敏感信息。
Ruby的Net::HTTPS库没有对用户所请求的DNS名称验证SSL证书名称,在协商SSL连接后http.rb文件中的connect方式没有调用post_connection_check。由于没有对所请求的DNS名称验证服务器证书CN,攻击者就可以扮演成为SSL连接中的目标服务器,破坏SSL连接的保密性和完整性。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Debian已经为此发布了一个安全公告(DSA-1410-1)以及相应补丁:
DSA-1410-1:New ruby1.8 packages fix insecure SSL certificate
链接:
http://www.debian.org/security/2007/dsa-1410
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6.diff.gz
Size/MD5 checksum: 538242 39599e76e17e8b5cc1ec766b71593d9f
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6.dsc
Size/MD5 checksum: 1024 b1798609dcf45a62e1d9afc4fe93bfff
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2.orig.tar.gz
Size/MD5 checksum:3623780 4bc5254bec262d18cf1ceef03aae8bdf
Architecture independent packages:
http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.2-7sarge6_all.deb
Size/MD5 checksum: 714364 09696ca7acac5bab3e3d06a9ae660e62
http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.2-7sarge6_all.deb
Size/MD5 checksum: 166946 32d06bc68ea2265bea556dc2226ed04d
http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge6_all.deb
Size/MD5 checksum: 234778 8de6b4af2fefe62a68ee879ebe7ff883
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge6_all.deb
Size/MD5 checksum: 143970 1a910ea5668693d3a6d2c557f18385a5
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge6_all.deb
Size/MD5 checksum: 219566 d5e35a1d40a6a072b56a49e5a187bd84
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 134122 692423c760d0c010d62303c683ae5b9c
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 239626 72825b5c797687a684d565b878fc687e
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 138232 4fb20d59981cae34ab7904013f262f18
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 827678 93e80a7a28254547b9c8d206e15e8a24
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 796352 b6f60a2f2cdec72d3ccd79e7786ca894
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 153134 dbcd57f97f2317a4f0634e930e138fa3
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum:1477690 e2795b5de4dbc4530d1047bcace240c1
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum: 136664 e0ac034c3873b75e375b99322659501b
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge6_alpha.deb
Size/MD5 checksum:1480146 79b24141759b2b95d2f1ec65c548b620
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum:1447486 800abb11f9c785186e65070ef2828d26
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum:1393124 bb473bf5d25f7547e320132c9df9e359
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 152322 7df90f3e6035ca5a6faf4cd7d2b69645
http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 649882 6841742c85ec07f2e80a7d6a0901b3e3
http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 136038 9631afc8383ad8b24568a3a7cc13fe4f
http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 137510 bda0b8be47b912e1b3ea91701791a17f
http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 781520 652266305893bb4f2961cbdb56d6e277
http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge6_amd64.deb
Size/MD5 checksum: 234924 2c4b2b0cfd5aa03
参考网址
来源: BID
名称: 25847
链接:http://www.securityfocus.com/bid/25847
来源: svn.ruby-lang.org
链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504
来源: svn.ruby-lang.org
链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502
来源: svn.ruby-lang.org
链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500
来源: svn.ruby-lang.org
链接:http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
来源: FEDORA
名称: FEDORA-2007-2685
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html
来源: FEDORA
名称: FEDORA-2007-2406
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html
来源: FEDORA
名称: FEDORA-2007-718
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html
来源: MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=313791
来源: XF
名称: ruby-nethttps-mitm(36861)
链接:http://xforce.iss.net/xforce/xfdb/36861
来源: BUGTRAQ
名称: 20071112 FLEA-2007-0068-1 ruby
链接:http://www.securityfocus.com/archive/1/archive/1/483577/100/0/threaded
来源: BUGTRAQ
名称: 20070927 Ruby Net::HTTPS library does not validate server certificate CN
链接:http://www.securityfocus.com/archive/1/archive/1/480987/100/0/threaded
来源: REDHAT
名称: RHSA-2007:0965
链接:http://www.redhat.com/support/errata/RHSA-2007-0965.html
来源: REDHAT
名称: RHSA-2007:0961
链接:http://www.redhat.com/support/errata/RHSA-2007-0961.html
来源: SUSE
名称: SUSE-SR:2007:024
链接:http://www.novell.com/linux/security/advisories/2007_24_sr.html
来源: MANDRIVA
名称: MDVSA-2008:029
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:029
来源: MISC
链接:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
来源: VUPEN
名称: ADV-2007-3340
链接:http://www.frsirt.com/english/advisories/2007/3340
来源: DEBIAN
名称: DSA-1412
链接:http://www.debian.org/security/2007/dsa-1412
来源: DEBIAN
名称: DSA-1411
链接:http://www.debian.org/security/2007/dsa-1411
来源: DEBIAN
名称: DSA-1410
链接:http://www.debian.org/security/2007/dsa-1410
来源: SREASON
名称: 3180
链接:http://securityreason.com/securityalert/3180
来源: SECUNIA
名称: 28645
链接:http://secunia.com/advisories/28645
来源: SECUNIA
名称: 27818
链接:http://secunia.com/advisories/27818
来源: SECUNIA
名称: 27769
链接:http://secunia.com/advisories/27769
来源: SECUNIA
名称: 27764
链接:http://secunia.com/advisories/27764
来源: SECUNIA
名称: 27756
链接:http://secunia.com/advisories/27756
来源: SECUNIA
名称: 27673
链接:http://secunia.com/advisories/27673
来源: SECUNIA
名称: 27576
链接:http://secunia.com/advisories/27576
来源: SECUNIA
名称: 27432
链接:http://secunia.com/advisories/27432
来源: SECUNIA
名称: 27044
链接:http://secunia.com/advisories/27044
来源: SECUNIA
名称: 26985
链接:http://secunia.com/advisories/26985
来源: UBUNTU
名称: USN-596-1
链接:http://www.ubuntu.com/usn/usn-596-1
来源: SECUNIA
名称: 29556
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
