Source: ruby-faye Version: 1.2.4-1 Severity: grave Tags: security upstream Forwarded: https://github.com/faye/faye/issues/524 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-faye. CVE-2020-15134[0]: | Faye before version 1.4.0, there is a lack of certification validation | in TLS handshakes. Faye uses em-http-request and faye-websocket in the | Ruby version of its client. Those libraries both use the | `EM::Connection#start_tls` method in EventMachine to implement the TLS | handshake whenever a `wss:` URL is used for the connection. This | method does not implement certificate verification by default, meaning | that it does not check that the server presents a valid and trusted | TLS certificate for the expected hostname. That means that any | `https:` or `wss:` connection made using these libraries is vulnerable | to a man-in-the-middle attack, since it does not confirm the identity | of the server it is connected to. The first request a Faye client | makes is always sent via normal HTTP, but later messages may be sent | via WebSocket. Therefore it is vulnerable to the same problem that | these underlying libraries are, and we needed both libraries to | support TLS verification before Faye could claim to do the same. Your | client would still be insecure if its initial HTTPS request was | verified, but later WebSocket connections were not. This is fixed in | Faye v1.4.0, which enables verification by default. For further | background information on this issue, please see the referenced GitHub | Advisory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15134 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134 [1] https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9 [2] https://github.com/faye/faye/issues/524 [3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/ Regards, Salvatore