[DRE-maint] Bug#967063: ruby-faye: CVE-2020-15134
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 3 20:20:51 BST 2020
Source: ruby-faye
Version: 1.2.4-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/faye/faye/issues/524
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-faye.
CVE-2020-15134[0]:
| Faye before version 1.4.0, there is a lack of certification validation
| in TLS handshakes. Faye uses em-http-request and faye-websocket in the
| Ruby version of its client. Those libraries both use the
| `EM::Connection#start_tls` method in EventMachine to implement the TLS
| handshake whenever a `wss:` URL is used for the connection. This
| method does not implement certificate verification by default, meaning
| that it does not check that the server presents a valid and trusted
| TLS certificate for the expected hostname. That means that any
| `https:` or `wss:` connection made using these libraries is vulnerable
| to a man-in-the-middle attack, since it does not confirm the identity
| of the server it is connected to. The first request a Faye client
| makes is always sent via normal HTTP, but later messages may be sent
| via WebSocket. Therefore it is vulnerable to the same problem that
| these underlying libraries are, and we needed both libraries to
| support TLS verification before Faye could claim to do the same. Your
| client would still be insecure if its initial HTTPS request was
| verified, but later WebSocket connections were not. This is fixed in
| Faye v1.4.0, which enables verification by default. For further
| background information on this issue, please see the referenced GitHub
| Advisory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134
[1] https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9
[2] https://github.com/faye/faye/issues/524
[3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list