[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Ruby 1.8.6-p111 / 1.8.5-p114 released (Security Fix

Urabe Shyouhei

10/4/2007 4:04:00 AM

Hi all.

A problem on the net/https library was reported. We already fixed that
on the repository, but we also think it worth releasing. Here they are.
The only difference with the latest 1.8.6-p110 / 1.8.5-p113 is the
inclusion of fixes to it.

Detailed information should be found at the original advisory:
http://www.isecpartners.com/advisories/2007-006-r...

Released tarballs are available at:

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p1...
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p...
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8....
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p1...
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p...
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8....


And checksums:

MD5(ruby-1.8.6-p111.tar.bz2)= e1d38b7d4f1be55726d6927a3395ce3b
SHA256(ruby-1.8.6-p111.tar.bz2)= 85c694678313818a5083bcfd66ae389fc053b506d93b5ad46f3764981c120fbb
SIZE(ruby-1.8.6-p111.tar.bz2)= 3919396

MD5(ruby-1.8.6-p111.tar.gz)= c36e011733a3a3be6f43ba27b7cd7485
SHA256(ruby-1.8.6-p111.tar.gz)= 5edafdce60b28aecff1a10c892192b27f42ebdf4871018e86fc473366cc7dea6
SIZE(ruby-1.8.6-p111.tar.gz)= 4547579

MD5(ruby-1.8.6-p111.zip)= 949974534a5ed3bc30adce6d4f8860e4
SHA256(ruby-1.8.6-p111.zip)= 1f61fe2625dde0e8be196c81247fbee2ecae2158939f21e233f0c2c5476ec4cb
SIZE(ruby-1.8.6-p111.zip)= 5563270

MD5(ruby-1.8.5-p114.tar.bz2)= d57f9762b3b34a9e4835085b4c5acc59
SHA256(ruby-1.8.5-p114.tar.bz2)= c503ae8eb47db72f78fb7a79fe1874ffef40a7094f7e803bacbf994a924244d9
SIZE(ruby-1.8.5-p114.tar.bz2)= 3862713

MD5(ruby-1.8.5-p114.tar.gz)= 407204b3868991047b5c956aaebc4232
SHA256(ruby-1.8.5-p114.tar.gz)= fea4f92e01b7e507a7485392255830afae0e60a8b5c1bec6eb8751078808a79a
SIZE(ruby-1.8.5-p114.tar.gz)= 4484868

MD5(ruby-1.8.5-p114.zip)= 4a0e1810a19e25c6d91d538a8f0ecc60
SHA256(ruby-1.8.5-p114.zip)= 2c9bd43b310c164e9dfd529049dd67b1490e9ac5aca468bb4c296cd6d97d55ba
SIZE(ruby-1.8.5-p114.zip)= 5493270
2 Answers

NAKAMURA, Hiroshi

10/4/2007 1:33:00 PM

0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Urabe Shyouhei wrote:
> A problem on the net/https library was reported. We already fixed that
> on the repository, but we also think it worth releasing. Here they are.
> The only difference with the latest 1.8.6-p110 / 1.8.5-p113 is the
> inclusion of fixes to it.
>
> Detailed information should be found at the original advisory:
> http://www.isecpartners.com/advisories/2007-006-r...

It's not related to ruby but the report above should have a reference to
RFC2818 3.1. Server Identity.

RFC2818 said:

Automated
clients MUST log the error to an appropriate audit log (if available)
and SHOULD terminate the connection (with a bad certificate error).

So net/http.rb versions on 1.8.6 and 1.8.5 SHOULD have
@enable_post_connection_check = true
as well as a trunk version. I recommend turning it on as soon as
possible although it's your business, syouhei. Balance security and
compatibility.

For users: the problem affects if;
1. code of your program or one of depending libraries is using
net/https for SSL connection, plus,
2. the code sets http.verify_mode to OpenSSL::SSL::VERIFY_PEER
explicitly (VERIFY_NONE, which means no security, by default), plus,
3. the code sets http.ca_file properly.

open-uri.rb is not affected on this because it does check server
identity though it does 2 and 3. imap.rb, smtp.rb, pop.rb, drb/ssl.rb
will be fixed soon.

Regards,
// NaHi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)

iQEVAwUBRwTrbB9L2jg5EEGlAQKrvggAwsB0AwpTuL0enc9UtUhLBhvKDIUwr6eu
L5kAKxYn2CXH/r9AJY8F/fHT2jUeciIsnorkDwUIx+sHib2X2lo0XUWCqflusijb
h1g7rSVVBlKEX3wvfgugWkbZjd17dFj3Z12D+oLxZHi2La0dwJdFe8UgQ1+POf6l
iODrWKshN8d4olf9v++4LE49kUEnt/OGXMNMLENvwV3HnBGO8qtD/S85hjjIGZnV
8JerSBziCffJGglE7+xozElfs23HZW4gBjoLCVanK0slEHzO0GmY94P6DGLO4VhW
YCPP7M+1Nq+3fJPSXlT56SkcqyfWIcABpEKM+puUPD7dotFwqt8VXw==
=nu+h
-----END PGP SIGNATURE-----

Michal Suchanek

11/8/2007 1:12:00 PM

0

BTW

The checksum is not mentioned on the Japanese download page. I guess I
would notice a piece of Latin text on a Japanese page quite easily.

The release is not mentioned on the English download page at all.

The download pages do not mention the .bz2 version of the archive.

Thanks

Michal