Debian Bug report logs -
#967063
ruby-faye: CVE-2020-15134
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#967063; Package src:ruby-faye.
(Mon, 03 Aug 2020 19:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Mon, 03 Aug 2020 19:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-faye
Version: 1.2.4-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/faye/faye/issues/524
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for ruby-faye.
CVE-2020-15134[0]:
| Faye before version 1.4.0, there is a lack of certification validation
| in TLS handshakes. Faye uses em-http-request and faye-websocket in the
| Ruby version of its client. Those libraries both use the
| `EM::Connection#start_tls` method in EventMachine to implement the TLS
| handshake whenever a `wss:` URL is used for the connection. This
| method does not implement certificate verification by default, meaning
| that it does not check that the server presents a valid and trusted
| TLS certificate for the expected hostname. That means that any
| `https:` or `wss:` connection made using these libraries is vulnerable
| to a man-in-the-middle attack, since it does not confirm the identity
| of the server it is connected to. The first request a Faye client
| makes is always sent via normal HTTP, but later messages may be sent
| via WebSocket. Therefore it is vulnerable to the same problem that
| these underlying libraries are, and we needed both libraries to
| support TLS verification before Faye could claim to do the same. Your
| client would still be insecure if its initial HTTPS request was
| verified, but later WebSocket connections were not. This is fixed in
| Faye v1.4.0, which enables verification by default. For further
| background information on this issue, please see the referenced GitHub
| Advisory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134
[1] https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9
[2] https://github.com/faye/faye/issues/524
[3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Aug 4 09:14:08 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon