Your submission was sent successfully! Close

CVE-2015-1855

Published: 9 April 2015

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Notes

AuthorNote
mdeslaur
needs a cert with multiple wildcards
Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
ruby1.8
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
trusty Does not exist

upstream Needed

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:
upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596





ruby1.9.1
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was released [1.9.3.484-2ubuntu1.3])
upstream Needed

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:

upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596




ruby2.0
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist
(trusty was released [2.0.0.484-1ubuntu2.4])
upstream Needed

utopic Ignored
(reached end-of-life)
vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:


upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596



ruby2.1
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist

upstream Needed

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Not vulnerable
(2.1.5-4ubuntu1)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:



upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596


ruby2.2
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (2.2.2-1)
utopic Does not exist

vivid Does not exist

wily Not vulnerable
(2.2.2-1)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:




upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596

ruby2.3
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (2.2.2-1)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Not vulnerable
(2.2.2-1)
yakkety Not vulnerable
(2.2.2-1)
zesty Not vulnerable
(2.2.2-1)
Patches:





upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596