Ruby update fixes SSL man-in-the-middle vulnerability
The OpenSSL implementation bundled with Ruby has been found to be vulnerable to having its hostname check bypassed. The flaw, rooted in the lack of proper handling of alternate X509 names with null bytes in them, could allow an attacker to present a certificate for "
www.ruby-lang.org\0example.com" which when read by the Ruby client library, would be interpreted as "
www.ruby-lang.org". That result would be handed over to the certificate verfication routines which would cause the certificate would be identified as coming from "
www.ruby-lang.org". If an attacker could get a certificate where the
subjectAltName included such a null byte, they could use that certificate to interpose themselves between a victim and the site.
All Ruby versions are affected; Ruby 1.8.7 p373 and earlier, Ruby 1.9.3 p447 and earlier and Ruby 2.0 p246 and earlier. Also all revisions from the Ruby source tree prior to revision 41670 are vulnerable. Updates in the form of Ruby 1.8.7 p374, Ruby 1.9.3 p448 and Ruby 2.0.0 p247 are now available.The Ruby 1.8.7 update also includes another security fix to close a denial of service vulnerability in REXML entity expansion. All the updates also contain various other bug fixes which are listed with their relevant announcements.