|Description||The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.|
|Source||CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)|
|References||DSA-1410-1, DSA-1411-1, DSA-1412-1|
|NVD severity||medium (attack range: remote, user-initiated)|
|Debian/stable||not known to be vulnerable.|
|Debian/testing||not known to be vulnerable.|
|Debian/unstable||not known to be vulnerable.|
Vulnerable and fixed packages
The table below lists information on source packages.
|ruby1.8 (PTS)||squeeze, squeeze (security)||184.108.40.2062-2squeeze2||fixed|
|wheezy (security), wheezy||220.127.116.118-7.1+deb7u3||fixed|
The information below is based on the following data on fixed versions.
fix for 1.8 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504