Wind River Support Network

HomeDefectsLIN6-5365

Fixed

LIN6-5365 : Security Advisory - ruby - CVE-2013-4073

Created: Sep 2, 2013 Updated: Dec 3, 2018

Resolved Date: Jul 27, 2014

Previous ID: LIN3-26335

Found In Version: 6.0.0.10

Fix Version: 6.0.0.11

Severity: Standard

Applicable for: Wind River Linux 6

Component/s: Userspace

Description

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4073

Workaround

Unknown

Steps to Reproduce

Unknown

Other Downloads

Wind River Linux 6.0.0.29
Wind River Linux 6.0.0.30
Wind River Linux 6.0.0.31
Wind River Linux 6.0.0.32
Wind River Linux 6.0.0.33
Wind River Linux 6.0.0.34
Wind River Linux 6.0.0.35
Wind River Linux 6.0.0.36
Wind River Linux 6.0.0.37
Wind River Linux 6.0.0.38