CVE-2013-4073

Publication date 28 June 2013

Last updated 24 July 2024

Ubuntu priority

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ruby1.8	13.04 raring	Fixed 1.8.7.358-7ubuntu1.1
	12.10 quantal	Fixed 1.8.7.358-4ubuntu0.3
	12.04 LTS precise	Fixed 1.8.7.352-2ubuntu1.3
	10.04 LTS lucid	Ignored end of life
ruby1.9.1	13.04 raring	Fixed 1.9.3.194-8.1ubuntu1.1
	12.10 quantal	Fixed 1.9.3.194-1ubuntu1.5
	12.04 LTS precise	Fixed 1.9.3.0-1ubuntu2.7
	10.04 LTS lucid	Ignored end of life

Notes

mdeslaur

possible regression: https://bugs.ruby-lang.org/issues/8575

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ruby1.8	Upstream: 961bf74 Upstream: a3a62f8
ruby1.9.1	Upstream: 2669b84 Upstream: a3a62f8

References

Related Ubuntu Security Notices (USN)