Security update for ruby19 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:1889-1 Final 1 1 2015-10-05T09:31:55Z current 2015-10-05T09:31:55Z 2015-10-05T09:31:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby19 ruby19 was updated to fix two security issues. The following vulnerabilities were fixed: * CVE-2015-1855: Ruby OpenSSL hostname verification was too permissive (bsc#926974). * CVE-2009-5147: DL::dlopen could have loaded a library with tainted library name even if $SAFE > 0 (bsc#939860). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slestso13-ruby19-12180 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20151889-1/ Link for SUSE-SU-2015:1889-1 https://lists.suse.com/pipermail/sle-security-updates/2015-November/001661.html E-Mail link for SUSE-SU-2015:1889-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/926974 SUSE Bug 926974 https://bugzilla.suse.com/939860 SUSE Bug 939860 https://www.suse.com/security/cve/CVE-2009-5147/ SUSE CVE CVE-2009-5147 page https://www.suse.com/security/cve/CVE-2015-1855/ SUSE CVE CVE-2015-1855 page SUSE Studio Onsite 1.3 ruby19-1.9.3.p392-0.23.1 ruby19-devel-1.9.3.p392-0.23.1 ruby19-devel-extra-1.9.3.p392-0.23.1 ruby19-1.9.3.p392-0.23.1 as a component of SUSE Studio Onsite 1.3 ruby19-devel-1.9.3.p392-0.23.1 as a component of SUSE Studio Onsite 1.3 ruby19-devel-extra-1.9.3.p392-0.23.1 as a component of SUSE Studio Onsite 1.3 DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. CVE-2009-5147 SUSE Studio Onsite 1.3:ruby19-1.9.3.p392-0.23.1 SUSE Studio Onsite 1.3:ruby19-devel-1.9.3.p392-0.23.1 SUSE Studio Onsite 1.3:ruby19-devel-extra-1.9.3.p392-0.23.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151889-1/ https://www.suse.com/security/cve/CVE-2009-5147.html CVE-2009-5147 https://bugzilla.suse.com/939860 SUSE Bug 939860 https://bugzilla.suse.com/959495 SUSE Bug 959495 verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. CVE-2015-1855 SUSE Studio Onsite 1.3:ruby19-1.9.3.p392-0.23.1 SUSE Studio Onsite 1.3:ruby19-devel-1.9.3.p392-0.23.1 SUSE Studio Onsite 1.3:ruby19-devel-extra-1.9.3.p392-0.23.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151889-1/ https://www.suse.com/security/cve/CVE-2015-1855.html CVE-2015-1855 https://bugzilla.suse.com/926974 SUSE Bug 926974