seeing is believing
Showing 1 - 10 of 10 RSS Feed

CVE-2013-4073

Status Candidate

Overview

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '�' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Related Files

Apple Security Advisory 2014-02-25-1
Posted Feb 26, 2014
Authored by Apple | Site apple.com

Apple Security Advisory 2014-02-25-1 - OS X Mavericks 10.9.2 and Security Update 2014-001 is now available and addresses multiple security issues including the recent SSL vulnerability.

tags | advisory
systems | apple, osx
advisories | CVE-2011-3389, CVE-2013-1862, CVE-2013-1896, CVE-2013-4073, CVE-2013-4113, CVE-2013-4248, CVE-2013-5139, CVE-2013-5178, CVE-2013-5179, CVE-2013-5986, CVE-2013-5987, CVE-2013-6420, CVE-2013-6629, CVE-2014-1245, CVE-2014-1246, CVE-2014-1247, CVE-2014-1248, CVE-2014-1249, CVE-2014-1250, CVE-2014-1252, CVE-2014-1254, CVE-2014-1255, CVE-2014-1256, CVE-2014-1257, CVE-2014-1258, CVE-2014-1259, CVE-2014-1260, CVE-2014-1261
MD5 | 77202653b9ef1fb712388ec7bd192749
Debian Security Advisory 2809-1
Posted Dec 5, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2809-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language.

tags | advisory, vulnerability, ruby
systems | linux, debian
advisories | CVE-2013-1821, CVE-2013-4073, CVE-2013-4164
MD5 | e799f488cbc7b8db8045f474277c1fdd
Debian Security Advisory 2738-1
Posted Aug 19, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2738-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems.

tags | advisory, denial of service, vulnerability, ruby
systems | linux, debian
advisories | CVE-2013-1821, CVE-2013-4073
MD5 | e7041816e809e16607c33535519cca84
Red Hat Security Advisory 2013-1137-01
Posted Aug 5, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1137-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. All users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to these updated packages, which resolve this issue.

tags | advisory, spoof, ruby
systems | linux, redhat
advisories | CVE-2013-4073
MD5 | 01a393552a8d139a1abae980d4ca273d
Mandriva Linux Security Advisory 2013-201
Posted Jul 26, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-201 - A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. The updated packages have been patched to correct this issue.

tags | advisory, spoof, ruby
systems | linux, mandriva
advisories | CVE-2013-4073
MD5 | 7574aafeaf614ad40d21bea38268aaa1
Mandriva Linux Security Advisory 2013-200
Posted Jul 26, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-200 - The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion attack. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, spoof, ruby
systems | linux, mandriva
advisories | CVE-2012-4481, CVE-2013-1821, CVE-2013-4073
MD5 | 7ca279035d6b48ebee3a8a164700f7cb
Red Hat Security Advisory 2013-1103-01
Posted Jul 24, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1103-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. Red Hat OpenStack makes use of Puppet, which is written in Ruby. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct a man-in-the-middle attack against the Puppet master and its clients. Note that to exploit this issue, an attacker would need to get a carefully-crafted certificate signed by an authority that the Puppet master and clients trust.

tags | advisory, ruby
systems | linux, redhat
advisories | CVE-2013-4073
MD5 | 5e928029aabf36840608ca8a207f9a9a
Red Hat Security Advisory 2013-1090-01
Posted Jul 17, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1090-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.

tags | advisory, spoof, ruby
systems | linux, redhat
advisories | CVE-2013-4073
MD5 | c4f94b7db80e7d1277b17dd99343c945
Ubuntu Security Notice USN-1902-1
Posted Jul 9, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1902-1 - William (B.J.) Snow Orvis discovered that Ruby incorrectly verified the hostname in SSL certificates. An attacker could trick Ruby into trusting a rogue server certificate, which was signed by a trusted certificate authority, to perform a man-in-the-middle attack.

tags | advisory, ruby
systems | linux, ubuntu
advisories | CVE-2013-4073
MD5 | 2aec7e4cf62e3bd89c06a071da52f93d
Slackware Security Advisory - ruby Updates
Posted Jun 28, 2013
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. Related CVE Numbers: CVE-2013-4073.

tags | advisory, ruby
systems | linux, slackware
advisories | CVE-2013-4073
MD5 | 4f6fde76da879e81713e68dd639551e4
Page 1 of 1
Back1Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close