I've just released jruby-openssl 0.6. jruby-openssl is an add-on gem that implements Ruby's OpenSSL extension for JRuby.
PLEASE NOTE: this is a recommended upgrade. A security vulnerability was discovered in jruby-openssl versions 0.5.2 and earlier. This vulnerability only applies if you're using JRuby and the jruby-openssl library.
The security problem involves peer certificate verification where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate. Your application might be vulnerable if you're using any of these versions of jruby-openssl along with the OpenSSL::SSL::VERIFY_PEER mode on the SSL socket. Please see the full disclosure below [1] to determine if your application is affected. If you have any questions, please send email to security@jruby.org, a private email address.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-4123 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Thanks to NaHi (NAKAMURA Hiroshi) for finding the problem and providing the fix.
/Nick
[1]: http://www.jruby.org/2009/12/07/vulnerability-in-jruby-openssl.html
Changelog:
- Many fixes from NaHi, including issues related to certificate verification and certificate store purpose verification.
- implement OpenSSL::X509::Store#set_default_paths
- MRI compat. fix: OpenSSL::X509::Store#add_file
- Fix nsCertType handling.
- Fix Cipher#key_len for DES-EDE3: 16 should be 24.
- Modified test expectations around Cipher#final.
- Public keys are lazily instantiated when the X509::Certificate#public_key method is called (Dave Garcia)