CESA-2013:1090 -- centos 5 rubyID: oval:org.secpod.oval:def:202912 | Date: (C)2013-09-25 (M)2023-12-07 |
Class: PATCH | Family: unix |
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in Ruby"s SSL client"s hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.