[DRE-maint] Bug#967061: ruby-faye-websocket: CVE-2020-15133
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 3 20:17:22 BST 2020
Source: ruby-faye-websocket
Version: 0.10.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-faye-websocket.
CVE-2020-15133[0]:
| In faye-websocket before version 0.11.0, there is a lack of
| certification validation in TLS handshakes. The
| `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls`
| method in EventMachine to implement the TLS handshake whenever a
| `wss:` URL is used for the connection. This method does not implement
| certificate verification by default, meaning that it does not check
| that the server presents a valid and trusted TLS certificate for the
| expected hostname. That means that any `wss:` connection made using
| this library is vulnerable to a man-in-the-middle attack, since it
| does not confirm the identity of the server it is connected to. For
| further background information on this issue, please see the
| referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is
| recommended.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15133
[1] https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
[2] https://github.com/faye/faye-websocket-ruby/pull/129
[3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list