Bug 926974 - (CVE-2015-1855) VUL-0: CVE-2015-1855: ruby: Ruby OpenSSL Hostname Verification
(CVE-2015-1855)
VUL-0: CVE-2015-1855: ruby: Ruby OpenSSL Hostname Verification
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2015-1855:6.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-13 18:03 UTC by Andreas Stieger
Modified: 2017-10-26 07:58 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-13 18:03:36 UTC
Via ruby-sec-annouce:
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492. Similar issues were found in Python.

This vulnerability has been assigned the CVE identifier CVE-2015-1855.

We strongly recommend you upgrade Ruby.
Details

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.

This change will take affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.

Specifically:

    Only one wildcard character in the left-most part of the hostname is allowed.
    IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
    Subject/SAN should be limited to ASCII characters only.

All users running an affected release should upgrade immediately.
Affected versions

    All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 645
    All ruby 2.1 versions prior to ruby 2.1.6
    All ruby 2.2 versions prior to ruby 2.2.2
    prior to trunk revision 50292

Credits

Thanks to Tony Arcieri, Jeffrey Walton, and Steffan Ullrich for reporting this issue. Originally reported as Bug #9644, and patches submitted by Tony Arcieri and Hiroshi Nakamura.
History

    Originally published at 2015-04-13 12:00:00 (UTC)


Upstream bug:
https://bugs.ruby-lang.org/issues/9644

Upstream commit trunk:
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/50292

Upstream commit backport 2.2:
https://bugs.ruby-lang.org/projects/backport22/repository/revisions/50293

Upstream commit backport 2.1:
https://bugs.ruby-lang.org/projects/ruby-21/repository/revisions/50296

Upstream commit backport 2.0:
https://bugs.ruby-lang.org/projects/ruby-200/repository/revisions/50294
Comment 1 Swamp Workflow Management 2015-04-13 22:00:15 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2015-06-25 09:57:47 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62111
Comment 8 Swamp Workflow Management 2015-11-02 16:33:06 UTC
SUSE-SU-2015:1889-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 926974,939860
CVE References: CVE-2009-5147,CVE-2015-1855
Sources used:
SUSE Studio Onsite 1.3 (src):    ruby19-1.9.3.p392-0.23.1
Comment 9 SMASH SMASH 2015-12-17 11:00:00 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 24, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121177/.
Comment 11 Marcus Rückert 2017-03-10 15:23:34 UTC
we decided to skip the pull request for now.

we should wait for 2.4 getting more widely adapted and then handled in all the extensions. as example see:

https://github.com/glaszig/logstash-logger/commit/19355a2346f2cf31a415fa8c7b8472e63a84f092
Comment 12 Victor Pereira 2017-03-14 16:02:33 UTC
reproducer https://github.com/vpereira/CVE-2015-1855
Comment 14 Swamp Workflow Management 2017-04-06 13:10:54 UTC
SUSE-SU-2017:0948-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 926974,959495,986630
CVE References: CVE-2015-1855,CVE-2015-7551
Sources used:
SUSE Webyast 1.3 (src):    ruby-1.8.7.p357-0.9.19.1
SUSE Studio Onsite 1.3 (src):    ruby-1.8.7.p357-0.9.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ruby-1.8.7.p357-0.9.19.1
SUSE Linux Enterprise Server 11-SP4 (src):    ruby-1.8.7.p357-0.9.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ruby-1.8.7.p357-0.9.19.1
SUSE Lifecycle Management Server 1.3 (src):    ruby-1.8.7.p357-0.9.19.1
Comment 15 Swamp Workflow Management 2017-04-20 10:09:57 UTC
SUSE-SU-2017:1067-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630
CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Server 12-SP2 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Server 12-SP1 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ruby2.1-2.1.9-15.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ruby2.1-2.1.9-15.1
OpenStack Cloud Magnum Orchestration 7 (src):    ruby2.1-2.1.9-15.1
Comment 16 Swamp Workflow Management 2017-04-28 16:12:28 UTC
openSUSE-SU-2017:1128-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630
CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339
Sources used:
openSUSE Leap 42.2 (src):    ruby2.1-2.1.9-8.3.2
openSUSE Leap 42.1 (src):    ruby2.1-2.1.9-10.2
Comment 17 Marcus Meissner 2017-10-26 07:58:53 UTC
released