CentOS Update For Ruby CESA-2013:1090 Centos6 Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. (CVE-2013-4073) All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.

Affected

ruby on CentOS 6

References

http://lists.centos.org/pipermail/centos-announce/2013-July/019862.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-4073
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

CentOS Security Advisory CESA-2009:0340 (libpng)
CentOS Security Advisory CESA-2009:1463 (newt)
CentOS Security Advisory CESA-2009:0295 (net-snmp)
CentOS Update for apr CESA-2011:0507 centos5 x86_64
CentOS Security Advisory CESA-2009:0341-01 (Moderate)

CentOS Update for ruby CESA-2013:1090 centos6

Take action and discover your vulnerabilities