Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

Related Vulnerabilities: CVE-2018-16395   cve-2018-16395  

Source

Debian Bug report logs - #911918
ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

version graph

Package: src:ruby-openssl; Maintainer for src:ruby-openssl is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 26 Oct 2018 06:39:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version ruby-openssl/2.1.1-1

Fixed in version ruby-openssl/2.1.2-1

Done: Utkarsh Gupta <guptautkarsh4102@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#911918; Package src:ruby-openssl. (Fri, 26 Oct 2018 06:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 26 Oct 2018 06:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
Date: Fri, 26 Oct 2018 08:36:01 +0200
Source: ruby-openssl
Version: 2.1.1-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: clone -1 -2
Control: retitle -2 ruby2.5: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
Control: reassign -2 ruby2.5 2.5.1-6

Hi,

The following vulnerability was published for ruby-openssl.

CVE-2018-16395[0]:
OpenSSL::X509::Name equality check does not work correctly

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16395
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395
[1] https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

Regards,
Salvatore

Bug 911918 cloned as bug 911919 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 26 Oct 2018 06:39:04 GMT) (full text, mbox, link).

Reply sent to Utkarsh Gupta <guptautkarsh4102@gmail.com>:
You have taken responsibility. (Tue, 26 Mar 2019 17:39:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 26 Mar 2019 17:39:11 GMT) (full text, mbox, link).

Message #12 received at 911918-close@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <guptautkarsh4102@gmail.com>
To: 911918-close@bugs.debian.org
Subject: Bug#911918: fixed in ruby-openssl 2.1.2-1
Date: Tue, 26 Mar 2019 17:35:02 +0000
Source: ruby-openssl
Source-Version: 2.1.2-1

We believe that the bug you reported is fixed in the latest version of
ruby-openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh4102@gmail.com> (supplier of updated ruby-openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Mar 2019 06:19:25 +0530
Source: ruby-openssl
Binary: ruby-openssl
Architecture: source
Version: 2.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Description:
 ruby-openssl - Ruby bindings for OpenSSL
Closes: 911918
Changes:
 ruby-openssl (2.1.2-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 2.1.2 (Fixes: CVE-2018-16395) (Closes: #911918)
   * Bump Standards-Version to 4.3.0 (no changes needed)
   * Fix insecure URL
Checksums-Sha1:
 59a1e65de5136debbd2af794a12cbe69acfd9d9c 2045 ruby-openssl_2.1.2-1.dsc
 fb8bb793d24509579d844b319b4b77a90c46b07f 255371 ruby-openssl_2.1.2.orig.tar.gz
 6ee2544c1820092c78b205115a9b28f3e4c52bb9 14232 ruby-openssl_2.1.2-1.debian.tar.xz
 15d0ee85cdb76bb1084d084dbd33ac021655974d 7037 ruby-openssl_2.1.2-1_source.buildinfo
Checksums-Sha256:
 a732adf4669614d5e0b32a522fada4a618e25812bceb59ee3e8a1d97a7f5ca94 2045 ruby-openssl_2.1.2-1.dsc
 0ae8da1eaef89e8b4a5d1834f9c8ab17425b01316cd6d63d89c11370eefc0aef 255371 ruby-openssl_2.1.2.orig.tar.gz
 97fc952e39a085b06898a82eca6886d67da4c23261eca9b7a6ef81b3b42329c7 14232 ruby-openssl_2.1.2-1.debian.tar.xz
 e172d6dc5a7fd402066c48e9a2768c33dd6d784c172250264d0fb1fe4cc5cb58 7037 ruby-openssl_2.1.2-1_source.buildinfo
Files:
 5d30f03fa7dd5f4b18679eb6941af5fc 2045 ruby optional ruby-openssl_2.1.2-1.dsc
 592a784002c2807c5f0014709eba15f8 255371 ruby optional ruby-openssl_2.1.2.orig.tar.gz
 4fc3cfec80f441b8837b61ef938c4ac1 14232 ruby optional ruby-openssl_2.1.2-1.debian.tar.xz
 9edd28809779bd2d3dbbfea9ce588b8d 7037 ruby optional ruby-openssl_2.1.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlyaYWYACgkQzh+cZ0US
wioohw//aV9FqxH90k8vZwxTWtdVjTAk1ucsHmLP3eQQmLPK9sdbVXhhEMo6nj5u
y0s3hqr2YYyim6VZFmLE05i6gB5T7f70od3p8Sn//tr6sfT9suauBPgFZEejZ1fp
WfLAYuMGxVgt4uoVKApevO8bhg0vATbJpqyzvlDp76HMkSNh5hAu+wWWKXfE2cGh
+S3LLo2E+aHqud85ekpBYYrRrYBJK1IRr5YzwGJL3WpVlMRPFqK6pdSyNMANXqTV
6vZLUoolThcnTdsxLFf/mzk5vSWUXYln/X8QfGu04VUlr3geSUvHmH3BSBs1Npvh
Dg+YZJuph0eQj13tmBKQwkoupjVYoOd8bp+inht42gyuwArCHRshZHhIf9c/Clsg
0gUebFrm/JUL5BGDIA57E2JRW7/b9rLMdbpXY9O1n55+mxdVoykzm6WHLfl9TuNV
WFXlMP3UjmmHGTdwjDDkdyIMtEyLx8a4ATDY68DTnc7JEwrEJe2NiZ1IMjah4Qw8
0ZTcMwedjDiUo2BGcnscVy7VTmW7AGCkhlAeE6V6+u5ZUFWrc8GykyA9b/ix/eXx
mub+ouxxnPGJKwcNnhKZSVN/tu2Y8LOaoL1k2s3YyuMy21HBSVm4sN4tOPooOre9
owOAQJ2Xc7NzXU5uY+E2QmnBirHQLrD1p3/kBcuhXbehgXy8N/Q=
=nVzd
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 24 Apr 2019 07:26:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:10:01 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started