Skip to content

CVE-2018-16395: OpenSSL::X509::Name equality check does not work #357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
corymcdonald wants to merge 2 commits into from
Closed

CVE-2018-16395: OpenSSL::X509::Name equality check does not work #357

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6b19c9a
CVE-2018-16395: OpenSSL::X509::Name equality check does not work corr…
Oct 17, 2018
87ce8e5
Rename file
Oct 18, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions gems/openssl/2018-16395.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
gem: openssl
date: 2018-10-17
url: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
cve: CVE-2018-16395
title: OpenSSL::X509::Name equality check does not work correctly
description: An instance of OpenSSL::X509::Name contains entities such as CN, C and
so on. Some two instances of OpenSSL::X509::Name are equal only when all entities
are exactly equal. However, there is a bug that the equality check is not correct
if the value of an entity of the argument (right-hand side) starts with the value
of the receiver (left-hand side). So, if a malicious X.509 certificate is passed
to compare with an existing certificate, there is a possibility to be judged incorrectly
that they are equal.
unaffected_versions:
- "< 2.1.2"
patched_versions:
- ">= 2.1.2"