CVE-2015-3900
Published: 24 June 2015
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Notes
| Author | Note |
|---|---|
| tyhicks | rubygems is for users of ruby1.8. ruby1.9.1 and jruby ship an embedded rubygems. |
| seth-arnold | I have doubts this patch actually addresses DNS hijacking adequately; this may properly restrict SRV records, but what verifies subsequent lookups to ensure the returned IPs aren't under attacker control? Marking 'low' as a result. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jruby Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
| wily |
Not vulnerable
|
|
|
libgems-ruby Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
|
ruby1.8 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
| wily |
Does not exist
|
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.1.5-4)
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Not vulnerable
(2.1.5-4ubuntu1)
|
|
|
Patches: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 |
||
|
ruby2.2 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.2.2-3)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Not vulnerable
(2.2.2-3)
|
|
|
Patches: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 |
||
|
ruby2.3 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
|
Patches: upstream: https://github.com/rubygems/rubygems/commit/6bbee35 upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5 |
||
|
rubygems Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.0.16, 2.2.4, 2.4.7)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|