Описание
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby-http | fixed | 1.0.2-2 | package | |
| ruby-http | no-dsa | jessie | package |
Примечания
http.rb failed to call the `#post_connection_check` method on SSL connections.
This method implements hostname verification, and without it `http.rb` was
vulnerable to MitM attacks. The problem was corrected by calling
`#post_connection_check`.
Fixed by: https://github.com/httprb/http/commit/24626bfcdeda1084502575c3fbb6091c9e2815e0
Связанные уязвимости
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
http vulnerable to Exposure of Sensitive Information to an Unauthorized Actor