[3.1] ruby: DNS hijacking vulnerability in api_endpoint() in rubygems (CVE-2015-3900)
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7
does
not validate the hostname when fetching gems or making API request,
which allows
remote attackers to redirect requests to arbitrary domains via a crafted
DNS SRV
record, aka a “DNS hijack attack.”
Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded versions of RubyGems.
ruby 2.2.3 includes the security fix for both CVE-2015-3900 and CVE-2015-4020.
References:
https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-2-3-released/
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Patch for CVE-2015-4020 (included in ruby 2.2.3)
https://github.com/rubygems/rubygems/commit/5c7bfb5
(from redmine: issue id 4787, created on 2015-10-21, closed on 2015-12-09)
- Relations:
- parent #4785 (closed)
- Changesets:
- Revision ae5c21c4 on 2015-12-03T14:28:42Z:
main/ruby: security upgrade to 2.1.7 (CVE-2015-3900). Fixes #4787