Author: carnil Date: 2017-10-07 09:28:51 +0000 (Sat, 07 Oct 2017) New Revision: 56491
Modified: data/CVE/list Log: Add CVE-2015-1828/ruby-http Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-07 09:17:47 UTC (rev 56490) +++ data/CVE/list 2017-10-07 09:28:51 UTC (rev 56491) @@ -93712,7 +93712,12 @@ CVE-2015-1829 (Unspecified vulnerability in the Oracle HTTP Server component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-1828 (The Ruby http gem before 0.7.3 does not verify hostnames in SSL ...) - TODO: check + - ruby-http 1.0.2-2 + NOTE: http.rb failed to call the `#post_connection_check` method on SSL connections. + NOTE: This method implements hostname verification, and without it `http.rb` was + NOTE: vulnerable to MitM attacks. The problem was corrected by calling + NOTE: `#post_connection_check`. + NOTE: Fixed by: https://github.com/httprb/http/commit/24626bfcdeda1084502575c3fbb6091c9e2815e0 CVE-2015-1827 (The get_user_grouplist function in the extdom plug-in in FreeIPA ...) - freeipa <not-affected> (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits