1bc9eed0b5
- ruby-r12567.patch: removed. - ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is insufficient verification of SSL certificate. (#313791)
100 lines
3.4 KiB
Diff
100 lines
3.4 KiB
Diff
diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb
|
|
--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900
|
|
+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900
|
|
@@ -88,7 +88,7 @@
|
|
end
|
|
}
|
|
end
|
|
- raise SSLError, "hostname not match"
|
|
+ raise SSLError, "hostname not match with the server certificate"
|
|
end
|
|
end
|
|
|
|
diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb
|
|
--- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900
|
|
+++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900
|
|
@@ -470,6 +470,7 @@
|
|
@debug_output = nil
|
|
@use_ssl = false
|
|
@ssl_context = nil
|
|
+ @enable_post_connection_check = true
|
|
end
|
|
|
|
def inspect
|
|
@@ -526,6 +527,9 @@
|
|
false # redefined in net/https
|
|
end
|
|
|
|
+ # specify enabling SSL server certificate and hostname checking.
|
|
+ attr_accessor :enable_post_connection_check
|
|
+
|
|
# Opens TCP connection and HTTP session.
|
|
#
|
|
# When this method is called with block, gives a HTTP object
|
|
@@ -584,6 +588,14 @@
|
|
HTTPResponse.read_new(@socket).value
|
|
end
|
|
s.connect
|
|
+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
|
+ begin
|
|
+ s.post_connection_check(@address)
|
|
+ rescue OpenSSL::SSL::SSLError => ex
|
|
+ raise ex if @enable_post_connection_check
|
|
+ warn ex.message
|
|
+ end
|
|
+ end
|
|
end
|
|
on_connect
|
|
end
|
|
diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb
|
|
--- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900
|
|
+++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900
|
|
@@ -229,6 +229,7 @@
|
|
if target.class == URI::HTTPS
|
|
require 'net/https'
|
|
http.use_ssl = true
|
|
+ http.enable_post_connection_check = true
|
|
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
store = OpenSSL::X509::Store.new
|
|
store.set_default_paths
|
|
@@ -240,16 +241,6 @@
|
|
|
|
resp = nil
|
|
http.start {
|
|
- if target.class == URI::HTTPS
|
|
- # xxx: information hiding violation
|
|
- sock = http.instance_variable_get(:@socket)
|
|
- if sock.respond_to?(:io)
|
|
- sock = sock.io # 1.9
|
|
- else
|
|
- sock = sock.instance_variable_get(:@socket) # 1.8
|
|
- end
|
|
- sock.post_connection_check(target_host)
|
|
- end
|
|
req = Net::HTTP::Get.new(request_uri, header)
|
|
if options.include? :http_basic_authentication
|
|
user, pass = options[:http_basic_authentication]
|
|
diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h
|
|
--- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900
|
|
+++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900
|
|
@@ -1,15 +1,15 @@
|
|
#define RUBY_VERSION "1.8.6"
|
|
-#define RUBY_RELEASE_DATE "2007-09-23"
|
|
+#define RUBY_RELEASE_DATE "2007-09-24"
|
|
#define RUBY_VERSION_CODE 186
|
|
-#define RUBY_RELEASE_CODE 20070923
|
|
-#define RUBY_PATCHLEVEL 110
|
|
+#define RUBY_RELEASE_CODE 20070924
|
|
+#define RUBY_PATCHLEVEL 111
|
|
|
|
#define RUBY_VERSION_MAJOR 1
|
|
#define RUBY_VERSION_MINOR 8
|
|
#define RUBY_VERSION_TEENY 6
|
|
#define RUBY_RELEASE_YEAR 2007
|
|
#define RUBY_RELEASE_MONTH 9
|
|
-#define RUBY_RELEASE_DAY 23
|
|
+#define RUBY_RELEASE_DAY 24
|
|
|
|
#ifdef RUBY_EXTERN
|
|
RUBY_EXTERN const char ruby_version[];
|