I’ve just released jruby-openssl 0.6. jruby-openssl is an add-on gem
that implements Ruby’s OpenSSL extension for JRuby.
PLEASE NOTE: this is a recommended upgrade. A security vulnerability
was discovered in jruby-openssl versions 0.5.2 and earlier. This
vulnerability only applies if you’re using JRuby and the jruby-openssl
library.
The security problem involves peer certificate verification where
failed verification silently did nothing, making affected applications
vulnerable to attackers. Attackers could lead a client application to
believe that a secure connection to a rogue SSL server is legitimate.
Attackers could also penetrate client-validated SSL server
applications with a dummy certificate. Your application might be
vulnerable if you’re using any of these versions of jruby-openssl
along with the OpenSSL::SSL::VERIFY_PEER mode on the SSL socket.
Please see the full disclosure below 1 to determine if your
application is affected. If you have any questions, please send email
to [email protected], a private email address.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2009-4123 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Thanks to NaHi (NAKAMURA Hiroshi) for finding the problem and
providing the fix.
/Nick
Changelog:
- Many fixes from NaHi, including issues related to certificate
verification and certificate store purpose verification.- implement OpenSSL::X509::Store#set_default_paths
- MRI compat. fix: OpenSSL::X509::Store#add_file
- Fix nsCertType handling.
- Fix Cipher#key_len for DES-EDE3: 16 should be 24.
- Modified test expectations around Cipher#final.
- Public keys are lazily instantiated when the
X509::Certificate#public_key method is called (Dave Garcia)