ruby2.2: CVE-2015-3900: DNS hijacking vulnerability in api_endpoint()

Debian Bug report logs - #790111
ruby2.2: CVE-2015-3900: DNS hijacking vulnerability in api_endpoint()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby2.2: CVE-2015-3900: DNS hijacking vulnerability in api_endpoint()

Date: Sat, 27 Jun 2015 11:21:22 +0200

Source: ruby2.2
Version: 2.2.2-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for ruby2.2.

CVE-2015-3900[0]:
| RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before
| 2.4.7 does not validate the hostname when fetching gems or making API
| request, which allows remote attackers to redirect requests to
| arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack
| attack."

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3900
[1] http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html

Regards,
Salvatore

Message #10 received at 790111-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 790111-close@bugs.debian.org

Subject: Bug#790111: fixed in ruby2.2 2.2.2-3

Date: Thu, 30 Jul 2015 01:19:23 +0000

Source: ruby2.2
Source-Version: 2.2.2-3

We believe that the bug you reported is fixed in the latest version of
ruby2.2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790111@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Jul 2015 09:50:08 -0300
Source: ruby2.2
Binary: ruby2.2 libruby2.2 libruby2.2-dbg ruby2.2-dev ruby2.2-doc ruby2.2-tcltk
Architecture: source all
Version: 2.2.2-3
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.2 - Libraries necessary to run Ruby 2.2
 libruby2.2-dbg - Debugging symbols for libruby2.2
 ruby2.2    - Interpreter of object-oriented scripting language Ruby
 ruby2.2-dev - Header files for compiling extension modules for the Ruby 2.2
 ruby2.2-doc - Documentation for Ruby 2.2
 ruby2.2-tcltk - Ruby/Tk for Ruby 2.2
Closes: 790111 791925
Changes:
 ruby2.2 (2.2.2-3) unstable; urgency=medium
 .
   [ Christian Hofstaedtler ]
   * Have libruby2.2 depend on ruby-test-unit, as upstream bundles this
     externally maintained package in their tarballs. (Closes: #791925)
 .
   [ Antonio Terceiro ]
   * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
     [CVE-2015-3900] (Closes: #790111)
Checksums-Sha1:
 c7c10c20acc5c079968d3ddfeab61153b21bfdc7 2486 ruby2.2_2.2.2-3.dsc
 d62bd8976062d97f8a7ec806215e77af36a42e3d 88888 ruby2.2_2.2.2-3.debian.tar.xz
 b970fa2d3bbe5c0aa40a1dbaaa620349d64c623b 3329202 ruby2.2-doc_2.2.2-3_all.deb
Checksums-Sha256:
 2156bd75184b572a55d7baa9e340b6194eafd4433e5633575c8e014cf8a2ff3c 2486 ruby2.2_2.2.2-3.dsc
 fd3f62c2b55383e4ddc9ca464e9d59bad9d419d042c2d989d6f1a47b710a1661 88888 ruby2.2_2.2.2-3.debian.tar.xz
 27e2140ed254b06e0159a34b6f3d7792e8c718448e9155be36375c9ac6fbdc5c 3329202 ruby2.2-doc_2.2.2-3_all.deb
Files:
 2b88bb2baa72bc226a463b4ae4f595ec 2486 ruby extra ruby2.2_2.2.2-3.dsc
 85e361261428bc2143ceb35fce6bb8e2 88888 ruby extra ruby2.2_2.2.2-3.debian.tar.xz
 e7f95482b263e20074fb97ffbbe1413d 3329202 doc extra ruby2.2-doc_2.2.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVuXkUAAoJEPwNsbvNRgveozgQAK4bjjUWhGiHHulWSo7Bu8f8
9hkeEd/nzth86LcQMyLmpm+U8sFodFqXo4MzzZdeRtjtEILNl5GU/IsdLhtJcjJB
HNDrsXbt1GHKxoUY3BH+Gvmmk+wDp8LwonkYMQ9FCcv9gMDwbqArwZ0Iucp9+ShF
imSCmIJJkq9+xkZjeUx/3pbyrJnxm93MX9yaA9SbGMZZ6YtOgPw4qjztBHDMrri/
lmT8LsUJSTZ9w1nMiCIyA5spXmklEvch0tq/py44ch4DllyKvkAv32Sytg6kr4NI
8NLu6U1NVGAT08POTWnnL6GtZl7q9MCWMMDAyoLvSdKo/MUvVki0AxOrncjWUdZB
uU7dA/O6sWAPfES4MtkmtSKEvzm7L27SdX3Udtsl+RrjLn3f6ntAlCDq3thyKg46
n9PtS57HEpJY0pAgM6AxFP19ODbFhzhmoZ7nhMkASpzTbnID9Cqp864zqY+vFjMv
XG35Alg/APskacWjFLgEFBXT+/kNqzeYq/QJ4KYqOGa5IHizIvzN70g+LekhNz2F
bEFPHlVnNyPY5TAigQz7/HMoxcJH0ZCy43lcs2fuidEVW7Rlev9f6Dqka6a5trFB
HDznw7Diu7XtRL7wiOi1//ax9HDeVA3d3WH0spj3PpRci8ti+Hw5a+/+TbcLE+k+
f1Qc9n5a9cOJnhakEyTh
=ZBmN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.