Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2015-3900

Published: 24 June 2015

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Notes

AuthorNote
tyhicks
rubygems is for users of ruby1.8. ruby1.9.1 and jruby ship an
embedded rubygems.
seth-arnold
I have doubts this patch actually addresses DNS hijacking
adequately; this may properly restrict SRV records, but what verifies
subsequent lookups to ensure the returned IPs aren't under attacker
control? Marking 'low' as a result.
Priority

Low

Status

Package Release Status
jruby
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Not vulnerable

upstream Not vulnerable

utopic Not vulnerable

vivid Does not exist

wily Not vulnerable

xenial Not vulnerable

libgems-ruby
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream Not vulnerable

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

ruby1.8
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Does not exist

upstream Not vulnerable

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

ruby1.9.1
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Does not exist
(trusty was not-affected)
upstream Not vulnerable

utopic Not vulnerable

vivid Does not exist

wily Does not exist

xenial Does not exist

ruby2.1
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (2.1.5-4)
utopic Ignored
(reached end-of-life)
vivid Does not exist

wily Not vulnerable
(2.1.5-4ubuntu1)
xenial Does not exist

Patches:
upstream: https://github.com/rubygems/rubygems/commit/6bbee35
upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5




ruby2.2
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (2.2.2-3)
utopic Does not exist

vivid Does not exist

wily Not vulnerable
(2.2.2-3)
xenial Not vulnerable
(2.2.2-3)
Patches:


upstream: https://github.com/rubygems/rubygems/commit/6bbee35
upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5


ruby2.3
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Not vulnerable

Patches:




upstream: https://github.com/rubygems/rubygems/commit/6bbee35
upstream: https://github.com/rubygems/rubygems/commit/5c7bfb5
rubygems
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Does not exist

upstream
Released (2.0.16, 2.2.4, 2.4.7)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist