ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.

From Red Hat Security Advisory 2009:1140 :

Updated ruby packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A flaw was found in the way the Ruby POP module processed certain APOP authentication requests. By sending certain responses when the Ruby APOP module attempted to authenticate using APOP against a POP server, a remote attacker could, potentially, acquire certain portions of a user's authentication credentials. (CVE-2007-1558)

It was discovered that Ruby did not properly check the return value when verifying X.509 certificates. This could, potentially, allow a remote attacker to present an invalid X.509 certificate, and have Ruby treat it as valid. (CVE-2009-0642)

A flaw was found in the way Ruby converted BigDecimal objects to Float numbers. If an attacker were able to provide certain input for the BigDecimal object converter, they could crash an application using this class. (CVE-2009-1904)

All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues.

A flaw was found in the way the Ruby POP module processed certain APOP authentication requests. By sending certain responses when the Ruby APOP module attempted to authenticate using APOP against a POP server, a remote attacker could, potentially, acquire certain portions of a user's authentication credentials. (CVE-2007-1558)

It was discovered that Ruby did not properly check the return value when verifying X.509 certificates. This could, potentially, allow a remote attacker to present an invalid X.509 certificate, and have Ruby treat it as valid. (CVE-2009-0642)

A flaw was found in the way Ruby converted BigDecimal objects to Float numbers. If an attacker were able to provide certain input for the BigDecimal object converter, they could crash an application using this class. (CVE-2009-1904)

This ruby update improves return value checks for openssl function OCSP_basic_verify() (CVE-2009-0642) which allowed an attacker to use revoked certificates. The entropy of DNS identifiers was increased (CVE-2008-3905) to avaid spoofing attacks. The code for parsing XML data was vulnerable to a denial of service bug (CVE-2008-3790). An attack on algorithm complexity was possible in function WEBrick::HTTP::DefaultFileHandler() while parsing HTTP requests (CVE-2008-3656) as well as by using the regex engine (CVE-2008-3443) causing high CPU load. Ruby's access restriction code (CVE-2008-3655) as well as safe-level handling using function DL.dlopen() (CVE-2008-3657) and big decimal handling (CVE-2009-1904) was improved.
Bypassing HTTP basic authentication (authenticate_with_http_digest) is not possible anymore.

Several vulnerabilities have been discovered in Ruby. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0642     The return value from the OCSP_basic_verify function was     not checked properly, allowing continued use of a     revoked certificate.

  - CVE-2009-1904     An issue in parsing BigDecimal numbers can result in a     denial-of-service condition (crash).

The following matrix identifies fixed versions :

                        ruby1.8                ruby1.9                  oldstable (etch)       1.8.5-4etch5           1.9.0+20060609-1etch5    stable (lenny)         1.8.7.72-3lenny1       1.9.0.2-9lenny1          unstable (sid)         1.8.7.173-1            (soon)

Updated ruby packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A flaw was found in the way the Ruby POP module processed certain APOP authentication requests. By sending certain responses when the Ruby APOP module attempted to authenticate using APOP against a POP server, a remote attacker could, potentially, acquire certain portions of a user's authentication credentials. (CVE-2007-1558)

It was discovered that Ruby did not properly check the return value when verifying X.509 certificates. This could, potentially, allow a remote attacker to present an invalid X.509 certificate, and have Ruby treat it as valid. (CVE-2009-0642)

A flaw was found in the way Ruby converted BigDecimal objects to Float numbers. If an attacker were able to provide certain input for the BigDecimal object converter, they could crash an application using this class. (CVE-2009-1904)

All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues.

Multiple vulnerabilities was discovered and corrected in ruby :

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate (CVE-2009-0642).

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type (CVE-2009-1904).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

This ruby update improves return value checks for openssl function OCSP_basic_verify() (CVE-2009-0642) which allowed an attacker to use revoked certificates.

The entropy of DNS identifiers was increased (CVE-2008-3905) to avaid spoofing attacks.

The code for parsing XML data was vulnerable to a denial of service bug. (CVE-2008-3790)

An attack on algorithm complexity was possible in function WEBrick::HTTP::DefaultFileHandler() while parsing HTTP requests (CVE-2008-3656) as well as by using the regex engine (CVE-2008-3443) causing high CPU load.

Ruby's access restriction code (CVE-2008-3655) as well as safe-level handling using function DL.dlopen() (CVE-2008-3657) and big decimal handling (CVE-2009-1904) was improved.

Bypassing HTTP basic authentication (authenticate_with_http_digest) is not possible anymore.

This update for ruby fixes the following security issues : 

  - Improve return value checks for OpenSSL function     OCSP_basic_verify() to refuse usage of revoked     certificates. (CVE-2009-0642)

  - Increase entropy of DNS identifiers to avoid spoofing     attacks. (CVE-2008-3905)

  - Fix denial of service (DoS) vulnerability while parsing     XML data. (CVE-2008-3790) 

  - Fix possible attack on algorithm complexity in function     WEBrick::HTTP::DefaultFileHandler() while parsing HTTP     requests or by using the regex engine to cause high CPU     load. (CVE-2008-3656, CVE-2008-3443)

  - Improve ruby's access restriction code. (CVE-2008-3655)

  - Improve safe-level handling using function DL.dlopen().
    (CVE-2008-3657)

  - Improve big decimal handling. (CVE-2009-1904)

  - Disable bypassing of HTTP basic authentication     (authenticate_with_http_digest).

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.

This update corrects the problem, including for older ruby versions.

It was discovered that Ruby did not properly validate certificates. An attacker could exploit this and present invalid or revoked X.509 certificates. (CVE-2009-0642)

It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. (CVE-2009-1904).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
67889	Oracle Linux 4 / 5 : ruby (ELSA-2009-1140)	Nessus	Oracle Linux Local Security Checks	medium
60613	Scientific Linux Security Update : ruby on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
51760	SuSE 10 Security Update : ruby (ZYPP Patch Number 6338)	Nessus	SuSE Local Security Checks	high
44725	Debian DSA-1860-1 : ruby1.8, ruby1.9 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
43767	CentOS 5 : ruby (CESA-2009:1140)	Nessus	CentOS Local Security Checks	medium
43044	Mandriva Linux Security Advisory : ruby (MDVSA-2009:325)	Nessus	Mandriva Local Security Checks	medium
42032	openSUSE 10 Security Update : ruby (ruby-6339)	Nessus	SuSE Local Security Checks	high
41452	SuSE 11 Security Update : ruby (SAT Patch Number 1073)	Nessus	SuSE Local Security Checks	high
41312	SuSE9 Security Update : ruby (YOU Patch Number 12452)	Nessus	SuSE Local Security Checks	high
40497	Mandriva Linux Security Advisory : ruby (MDVSA-2009:193)	Nessus	Mandriva Local Security Checks	medium
40329	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : ruby1.8, ruby1.9 vulnerabilities (USN-805-1)	Nessus	Ubuntu Local Security Checks	medium
40306	openSUSE Security Update : ruby (ruby-1070)	Nessus	SuSE Local Security Checks	high
40122	openSUSE Security Update : ruby (ruby-1070)	Nessus	SuSE Local Security Checks	high
39599	RHEL 4 / 5 : ruby (RHSA-2009:1140)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2009-0642

high

Tenable Plugins

medium

medium

high

medium

medium

medium

high

high

high

medium

medium

high

high

medium