A vulnerability hostname check bypassed was found in the OpenSSL implementation binding version of Ruby. This vulnerability is caused by incorrect parsing of null bytes in the X509 name, which can be placed by attackers"Www.ruby-lang.org \ 0example.com"This certificate is read by the Ruby client and then parsed"Www.ruby-lang.org". This causes the certificate verification program to be suspended and the certificate is recognized as from"Www.ruby-lang.org". If attackers can obtain a certificate containing null bytesSubjectAltNameThey can use this certificate as the intermediary between the victim and the website.
All Ruby versions are affected by this vulnerability, including Ruby 1.8.7 p373 or earlier versions, Ruby 1.9.3 p447 or earlier versions, and Ruby 2.0 p246 and earlier versions. This problem exists in all versions earlier than 41670 In the Ruby source code tree. Update Ruby 1.8.7 p374, Ruby 1.9.3 p448, and Ruby 2.0.0 p247 immediately. At the same time, the Ruby 1.8.7 update also contains another security vulnerability, which is about the DoS Vulnerability of REXML entity extensions.
Link: http://www.oschina.net/news/41828/ruby-update-fixes-ssl-man-in-the-middle-vulnerability
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
