1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
libopenssl-ruby (0.1.4a-1sarge1) oldstable; urgency=low
This package includes fixes for CVE-2007-5162.
The upstream author had taken two actions about CVE-2007-5162.
1) They released Ruby 1.8.6-p111 and 1.8.5-p114. But the release
requires to change user's code to verify server's identity.
http://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability/ [en]
http://www.ruby-lang.org/ja/news/2007/10/04/isecpartners-com-2007-006-rubyssl/ [ja]
2) The upstream author re-added some fixes for Ruby. It makes Ruby
verify server's identity on default. This is available on ruby_1_8
branch, trunk of the Ruby repository and next release of Ruby 1.8.x.
On Debian, we took the 2nd action of the above.
New libopenssl-ruby1.6 package makes Ruby (Net::HTTPS and
Net::TELNETS) verify server's identity on default if SSL connection
isn't in VERIFY_NONE mode. It require no change user's code.
-- akira yamada <akira@debian.org> Tue, 16 Oct 2007 17:32:02 +0900
|
