CVE-2015-1855

Published: 9 April 2015

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Notes

Author	Note
mdeslaur	needs a cert with multiple wildcards

Priority

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package	Release	Status
ruby1.8 Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Does not exist
	upstream	Needed
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
ruby1.9.1 Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Released (1.9.3.484-2ubuntu1.3)
	upstream	Needed
	utopic	Ignored (end of life)
	vivid	Ignored (end of life)
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
ruby2.0 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Released (2.0.0.484-1ubuntu2.4)
	upstream	Needed
	utopic	Ignored (end of life)
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
ruby2.1 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Needed
	utopic	Ignored (end of life)
	vivid	Ignored (end of life)
	wily	Not vulnerable (2.1.5-4ubuntu1)
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
ruby2.2 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (2.2.2-1)
	utopic	Does not exist
	vivid	Does not exist
	wily	Not vulnerable (2.2.2-1)
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
ruby2.3 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (2.2.2-1)
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Not vulnerable (2.2.2-1)
	yakkety	Not vulnerable (2.2.2-1)
	zesty	Not vulnerable (2.2.2-1)
	Patches: upstream: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596

Severity score breakdown

Parameter	Value
Base score	5.9
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Bugs

https://bugs.ruby-lang.org/issues/9644

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›