Your submission was sent successfully! Close

CVE-2009-0642

Published: 20 February 2009

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.

Priority

Low

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
dapper
Released (1.8.4-1ubuntu1.7)
gutsy Needed
(reached end-of-life)
hardy
Released (1.8.6.111-2ubuntu1.3)
intrepid
Released (1.8.7.72-1ubuntu0.2)
jaunty
Released (1.8.7.72-3ubuntu0.1)
karmic Not vulnerable
(1.8.7.174-1)
lucid Not vulnerable
(1.8.7.174-1)
maverick Not vulnerable
(1.8.7.174-1)
natty Not vulnerable
(1.8.7.174-1)
oneiric Not vulnerable
(1.8.7.174-1)
upstream
Released (1.8.7.72-3.1)
Patches:
upstream: http://redmine.ruby-lang.org/repositories/revision/ruby-187?rev=22857
vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=18;filename=ruby1.8-1.8.7.72-3_1.8.7.72-3.1.patch;att=1;bug=517639


ruby1.9
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
gutsy Needed
(reached end-of-life)
hardy Ignored
(reached end-of-life)
intrepid
Released (1.9.0.2-7ubuntu1.2)
jaunty
Released (1.9.0.2-9ubuntu1.1)
karmic Not vulnerable
(1.9.0.2-9.1ubuntu1)
lucid Not vulnerable
(1.9.0.2-9.1ubuntu1)
maverick Does not exist
(pulled 2010-07-27)
natty Does not exist
(pulled 2010-07-27)
oneiric Does not exist
(pulled 2010-07-27)
upstream
Released (1.9.0.2-9.1)
Patches:


upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22440
vendor: http://patch-tracking.debian.net/patch/series/view/ruby1.9/1.9.0.2-9.1/931_CVE-2009-0642