Описание
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| rubygems | not-affected | package | ||
| libgems-ruby | not-affected | package | ||
| ruby1.8 | not-affected | package | ||
| ruby1.9.1 | not-affected | package | ||
| ruby2.1 | fixed | 2.1.5-4 | package | |
| ruby2.1 | fixed | 2.1.5-2+deb8u2 | jessie | package |
| ruby2.2 | fixed | 2.2.2-3 | package | |
| jruby | fixed | 1.7.20.1-2 | package | |
| jruby | not-affected | jessie | package | |
| jruby | not-affected | wheezy | package | |
| jruby | not-affected | squeeze | package |
Примечания
https://github.com/rubygems/rubygems/commit/6bbee35
https://github.com/rubygems/rubygems/commit/5c7bfb5
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Связанные уязвимости
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
