CVE-2015-4020
Published: 25 August 2015
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
Notes
| Author | Note |
|---|---|
| tyhicks | rubygems is for users of ruby1.8. ruby1.9.1 and jruby ship an embedded rubygems. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jruby Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
|
libgems-ruby Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
ruby1.8 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
|
ruby2.2 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
rubygems Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|