Lucene search
AmazonALAS-2015-531HistoryMay 27, 2015 - 2:05 p.m.
Medium: ruby20
2015-05-2714:05:00
alas.aws.amazon.com
13
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.028 Low
EPSS
Percentile
90.6%
Issue Overview:
As discussed in an upstream announcement (https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/), Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492.
Affected Packages:
ruby20
Issue Correction:
Run yum update ruby20 to update your system.
New Packages:
i686:
rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686
rubygem20-psych-2.0.0-1.25.amzn1.i686
ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686
ruby20-libs-2.0.0.645-1.25.amzn1.i686
ruby20-devel-2.0.0.645-1.25.amzn1.i686
rubygem20-io-console-0.4.2-1.25.amzn1.i686
ruby20-2.0.0.645-1.25.amzn1.i686
noarch:
ruby20-doc-2.0.0.645-1.25.amzn1.noarch
ruby20-irb-2.0.0.645-1.25.amzn1.noarch
rubygems20-2.0.14-1.25.amzn1.noarch
rubygems20-devel-2.0.14-1.25.amzn1.noarch
src:
ruby20-2.0.0.645-1.25.amzn1.src
x86_64:
ruby20-debuginfo-2.0.0.645-1.25.amzn1.x86_64
rubygem20-io-console-0.4.2-1.25.amzn1.x86_64
ruby20-2.0.0.645-1.25.amzn1.x86_64
rubygem20-bigdecimal-1.2.0-1.25.amzn1.x86_64
ruby20-devel-2.0.0.645-1.25.amzn1.x86_64
ruby20-libs-2.0.0.645-1.25.amzn1.x86_64
rubygem20-psych-2.0.0-1.25.amzn1.x86_64
Additional References
Red Hat: CVE-2015-1855
Mitre: CVE-2015-1855
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | rubygem20-bigdecimal | < 1.2.0-1.25.amzn1 | rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | rubygem20-psych | < 2.0.0-1.25.amzn1 | rubygem20-psych-2.0.0-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | ruby20-debuginfo | < 2.0.0.645-1.25.amzn1 | ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | ruby20-libs | < 2.0.0.645-1.25.amzn1 | ruby20-libs-2.0.0.645-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | ruby20-devel | < 2.0.0.645-1.25.amzn1 | ruby20-devel-2.0.0.645-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | rubygem20-io-console | < 0.4.2-1.25.amzn1 | rubygem20-io-console-0.4.2-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | ruby20 | < 2.0.0.645-1.25.amzn1 | ruby20-2.0.0.645-1.25.amzn1.i686.rpm |
| Amazon Linux | 1 | noarch | ruby20-doc | < 2.0.0.645-1.25.amzn1 | ruby20-doc-2.0.0.645-1.25.amzn1.noarch.rpm |
| Amazon Linux | 1 | noarch | ruby20-irb | < 2.0.0.645-1.25.amzn1 | ruby20-irb-2.0.0.645-1.25.amzn1.noarch.rpm |
| Amazon Linux | 1 | noarch | rubygems20 | < 2.0.14-1.25.amzn1 | rubygems20-2.0.14-1.25.amzn1.noarch.rpm |
Related
nessus
nessus
Amazon Linux AMI : ruby20 (ALAS-2015-531)
2015-05-29 00:00:00
Amazon Linux AMI : ruby21 (ALAS-2015-532)
2015-05-29 00:00:00
Amazon Linux AMI : ruby19 (ALAS-2015-530)
2015-05-29 00:00:00
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2015-531)
2015-09-08 00:00:00
Amazon Linux: Security Advisory (ALAS-2015-533)
2015-09-08 00:00:00
Amazon Linux: Security Advisory (ALAS-2015-529)
2015-09-08 00:00:00
amazon
amazon
cloudfoundry
cloudfoundry
CVE-2015-1855 Ruby OpenSSL Hostname Verification | Cloud Foundry
2015-04-30 00:00:00
seebug
seebug
Mozilla Network Security Services 'p12creat.c'内存破坏漏洞
2014-03-25 00:00:00
redhat
redhat
oraclelinux
oraclelinux
nss, nss-util, nss-softokn security, bug fix, and enhancement update
2014-08-18 00:00:00
nss and nspr security, bug fix, and enhancement update
2014-09-17 00:00:00
nss and nspr security, bug fix, and enhancement update
2014-07-22 00:00:00
slackware
slackware
[slackware-security] mozilla-nss
2014-03-28 22:54:39
prion
prion
Design/Logic Flaw
2014-03-25 13:25:00
Design/Logic Flaw
2019-11-29 21:15:00
veracode
veracode
Man-in-the-Middle Attack
2019-05-02 05:03:48
Denial Of Service (DoS)
2019-05-02 05:03:51
debiancve
debiancve
CVE-2014-1492
2014-03-25 13:25:00
osv
osv
ruby1.8 - security update
2015-05-02 00:00:00
ruby1.9.1 - security update
2015-05-02 00:00:00
ruby2.1 - security update
2015-05-02 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: ruby-2.1.6-27.fc21
2015-04-28 13:11:23
[SECURITY] Fedora 22 Update: ruby-2.2.2-11.fc22
2015-04-23 16:09:56
ubuntucve
ubuntucve
CVE-2015-1855
2015-04-09 00:00:00
CVE-2014-1492
2014-03-25 00:00:00
debian
debian
[SECURITY] [DLA 224-1] ruby1.8 security update
2015-05-18 21:57:18
[SECURITY] [DSA 3246-1] ruby1.9.1 security update
2015-05-02 11:20:09
[SECURITY] [DSA 3245-1] ruby1.8 security update
2015-05-02 11:19:31
mageia
mageia
Updated ruby packages fix CVE-2015-1855
2015-05-03 03:19:16
Updated nss, firefox and thunderbird packages fix security vulnerabilities
2014-03-20 22:33:01
freebsd
freebsd
Ruby -- OpenSSL Hostname Verification Vulnerability
2015-04-13 00:00:00
mozilla -- multiple vulnerabilities
2014-04-29 00:00:00
securityvulns
securityvulns
[ MDVSA-2014:066 ] nss
2014-03-24 00:00:00
Ruby SSL checks bypass
2015-05-04 00:00:00
[ MDVSA-2015:224 ] ruby
2015-05-04 00:00:00
ubuntu
ubuntu
NSS vulnerability
2014-04-02 00:00:00
Ruby vulnerabilities
2017-07-25 00:00:00
Firefox vulnerabilities
2014-04-29 00:00:00
centos
centos
nss security update
2014-08-18 21:47:41
nss security update
2014-09-30 11:21:57
nspr, nss security update
2014-07-23 02:49:51
cve
cve
CVE-2014-1492
2014-03-25 13:25:00
CVE-2015-1855
2019-11-29 21:15:00
mozilla
mozilla
Incorrect IDNA domain name matching for wildcard certificates — Mozilla
2014-04-29 00:00:00
archlinux
archlinux
ruby: permissive certificate verification
2015-04-14 00:00:00
suse
suse
Security update for ruby2.1 (important)
2017-04-28 18:11:28
Security update for ruby2.1 (important)
2017-04-20 12:08:57
Mozilla updates 07/2014 (important)
2014-07-30 20:47:31
f5
f5
K16716 : Multiple Mozilla NSS vulnerabilities
2015-09-17 00:00:00
SOL16716 - Multiple Mozilla NSS vulnerabilities
2015-06-05 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2014
2014-07-15 00:00:00
Oracle Critical Patch Update - October 2014
2014-10-14 00:00:00
Oracle Critical Patch Update Advisory - January 2015
2015-03-10 00:00:00
gentoo
gentoo
Mozilla Products: Multiple vulnerabilities
2015-04-07 00:00:00
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.028 Low
EPSS
Percentile
90.6%
Related for ALAS-2015-531