Add information about CVE-2015-3900

CVE-2015-3900.txt

@@ -0,0 +1,40 @@
+= Request hijacking vulnerability in RubyGems 2.4.5 and earlier
+
+RubyGems provides the ability of a domain to direct clients to a separate
+host that is used to fetch gems and make API calls against. This mechanism
+is implemented via DNS, specificly a SRV record _rubygems._tcp under the
+original requested domain.
+
+For example, this is the one that users who use rubygems.org see:
+
+  > dig _rubygems._tcp.rubygems.org SRV
+
+  ;; ANSWER SECTION:
+  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 api.rubygems.org.
+
+RubyGems did not validate the hostname returned in the SRV record before
+sending requests to it.
+
+This left clients open to a DNS hijack attack, whereby an attacker could
+return a SRV of their choosing and get the client to use it. For example:
+
+  > dig _rubygems._tcp.rubygems.org SRV
+
+  ;; ANSWER SECTION:
+  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 gems.nottobetrusted.wtf
+
+The fix, detailed at https://github.com/rubygems/rubygems/commit/6bbee35,
+shows that we validate the record now to be under the original domain. This
+restricts the client to be using the original trust/security domain as they
+would have otherwise.
+
+RubyGems versions between 2.0 and 2.4.5 are vulnerable.
+
+RubyGems version 2.0.16, 2.2.4, and 2.4.6 have been released that fix this
+issue.
+
+Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded
+versions of RubyGems.
+
+This vulnerability was reported by Jonathan Claudius <JClaudius@trustwave.com>.
+