CVE-2018-16395
16.11.2018, 18:29
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.Enginsight
| Vendor | Product | Version |
|---|---|---|
| ruby-lang | openssl | 𝑥 < 2.1.2 |
| ruby-lang | ruby | 2.3.0 ≤ 𝑥 ≤ 2.3.7 |
| ruby-lang | ruby | 2.4.0 ≤ 𝑥 ≤ 2.4.4 |
| ruby-lang | ruby | 2.5.0 ≤ 𝑥 ≤ 2.5.1 |
| ruby-lang | ruby | 2.6.0:preview1 |
| ruby-lang | ruby | 2.6.0:preview2 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 18.10 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux | 7.4 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ruby-openssl |
| ||||||||||||||||||||||||||||||
| ruby1.9.1 |
| ||||||||||||||||||||||||||||||
| ruby2.0 |
| ||||||||||||||||||||||||||||||
| ruby2.3 |
| ||||||||||||||||||||||||||||||
| ruby2.5 |
|
References