Amazon Linux AMI update for ruby20

1) Input validation error

EUVDB-ID: #VU32555

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-1492

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Mitigation

Update the affected packages:

i686:
    rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686
    rubygem20-psych-2.0.0-1.25.amzn1.i686
    ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686
    ruby20-libs-2.0.0.645-1.25.amzn1.i686
    ruby20-devel-2.0.0.645-1.25.amzn1.i686
    rubygem20-io-console-0.4.2-1.25.amzn1.i686
    ruby20-2.0.0.645-1.25.amzn1.i686

noarch:
    ruby20-doc-2.0.0.645-1.25.amzn1.noarch
    ruby20-irb-2.0.0.645-1.25.amzn1.noarch
    rubygems20-2.0.14-1.25.amzn1.noarch
    rubygems20-devel-2.0.14-1.25.amzn1.noarch

src:
    ruby20-2.0.0.645-1.25.amzn1.src

x86_64:
    ruby20-debuginfo-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-io-console-0.4.2-1.25.amzn1.x86_64
    ruby20-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-1.25.amzn1.x86_64
    ruby20-devel-2.0.0.645-1.25.amzn1.x86_64
    ruby20-libs-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-psych-2.0.0-1.25.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-531.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU35016

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-1855

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Mitigation

Update the affected packages:

i686:
    rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686
    rubygem20-psych-2.0.0-1.25.amzn1.i686
    ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686
    ruby20-libs-2.0.0.645-1.25.amzn1.i686
    ruby20-devel-2.0.0.645-1.25.amzn1.i686
    rubygem20-io-console-0.4.2-1.25.amzn1.i686
    ruby20-2.0.0.645-1.25.amzn1.i686

noarch:
    ruby20-doc-2.0.0.645-1.25.amzn1.noarch
    ruby20-irb-2.0.0.645-1.25.amzn1.noarch
    rubygems20-2.0.14-1.25.amzn1.noarch
    rubygems20-devel-2.0.14-1.25.amzn1.noarch

src:
    ruby20-2.0.0.645-1.25.amzn1.src

x86_64:
    ruby20-debuginfo-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-io-console-0.4.2-1.25.amzn1.x86_64
    ruby20-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-1.25.amzn1.x86_64
    ruby20-devel-2.0.0.645-1.25.amzn1.x86_64
    ruby20-libs-2.0.0.645-1.25.amzn1.x86_64
    rubygem20-psych-2.0.0-1.25.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-531.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.