CVE-2007-5162

Publication date 1 October 2007

Last updated 24 July 2024

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libopenssl-ruby	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Not affected
	6.10 edgy	Not affected
	6.06 LTS dapper	Not affected
ruby1.8	7.10 gutsy	Fixed 1.8.6.36-1ubuntu3.1
	7.04 feisty	Fixed 1.8.5-4ubuntu2.1
	6.10 edgy	Fixed 1.8.4-5ubuntu1.3
	6.06 LTS dapper	Fixed 1.8.4-1ubuntu1.4

Notes

jdstrand

LP bug has debdiffs

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ruby1.8	Debdiff: https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/149616

CVE-2007-5162

Status

Notes

jdstrand

Patch details

References

Related Ubuntu Security Notices (USN)

Other references