libruby2_3-2_3-2.3.1-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10090 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libruby2_3-2_3-2.3.1-1.6 on GA media These are all security issues fixed in the libruby2_3-2_3-2.3.1-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10090 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10090 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2015-1855/ SUSE CVE CVE-2015-1855 page https://www.suse.com/security/cve/CVE-2015-3900/ SUSE CVE CVE-2015-3900 page openSUSE Tumbleweed libruby2_3-2_3-2.3.1-1.6 ruby2.3-2.3.1-1.6 ruby2.3-devel-2.3.1-1.6 ruby2.3-devel-extra-2.3.1-1.6 ruby2.3-doc-2.3.1-1.6 ruby2.3-doc-ri-2.3.1-1.6 ruby2.3-stdlib-2.3.1-1.6 ruby2.3-tk-2.3.1-1.6 libruby2_3-2_3-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-devel-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-devel-extra-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-doc-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-doc-ri-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-stdlib-2.3.1-1.6 as a component of openSUSE Tumbleweed ruby2.3-tk-2.3.1-1.6 as a component of openSUSE Tumbleweed verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. CVE-2015-1855 openSUSE Tumbleweed:libruby2_3-2_3-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-devel-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-devel-extra-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-doc-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-doc-ri-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-stdlib-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-tk-2.3.1-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1855.html CVE-2015-1855 https://bugzilla.suse.com/926974 SUSE Bug 926974 RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." CVE-2015-3900 openSUSE Tumbleweed:libruby2_3-2_3-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-devel-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-devel-extra-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-doc-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-doc-ri-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-stdlib-2.3.1-1.6 openSUSE Tumbleweed:ruby2.3-tk-2.3.1-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3900.html CVE-2015-3900 https://bugzilla.suse.com/936032 SUSE Bug 936032