[Secure-testing-commits] r56491 - data/CVE

Salvatore Bonaccorso Sat, 07 Oct 2017 02:29:29 -0700

Author: carnil
Date: 2017-10-07 09:28:51 +0000 (Sat, 07 Oct 2017)
New Revision: 56491


Modified:
   data/CVE/list
Log:
Add CVE-2015-1828/ruby-http

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-10-07 09:17:47 UTC (rev 56490)
+++ data/CVE/list       2017-10-07 09:28:51 UTC (rev 56491)
@@ -93712,7 +93712,12 @@
 CVE-2015-1829 (Unspecified vulnerability in the Oracle HTTP Server component 
in ...)
        NOT-FOR-US: Oracle Fusion Middleware
 CVE-2015-1828 (The Ruby http gem before 0.7.3 does not verify hostnames in SSL 
...)
-       TODO: check
+       - ruby-http 1.0.2-2
+       NOTE: http.rb failed to call the `#post_connection_check` method on SSL 
connections.
+       NOTE: This method implements hostname verification, and without it 
`http.rb` was
+       NOTE: vulnerable to MitM attacks. The problem was corrected by calling
+       NOTE: `#post_connection_check`.
+       NOTE: Fixed by: 
https://github.com/httprb/http/commit/24626bfcdeda1084502575c3fbb6091c9e2815e0
 CVE-2015-1827 (The get_user_grouplist function in the extdom plug-in in 
FreeIPA ...)
        - freeipa <not-affected> (Only affects 4.1, see bug #781224)
        NOTE: https://fedorahosted.org/freeipa/ticket/4908


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56491 - data/CVE

Reply via email to