Security Advisory Moderate: ruby193-ruby security update

Advisory: RHSA-2013:1103-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-07-23
Last updated on: 2013-07-23
Affected Products: Red Hat OpenStack 3.0
CVEs ( CVE-2013-4073


Updated ruby193-ruby packages that fix one security issue are now available
for Red Hat OpenStack 3.0 (Grizzly).

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks. Red
Hat OpenStack makes use of Puppet, which is written in Ruby.

A flaw was found in Ruby's SSL client's hostname identity check when
handling certificates that contain hostnames with NULL bytes. An attacker
could potentially exploit this flaw to conduct a man-in-the-middle attack
against the Puppet master and its clients. Note that to exploit this issue,
an attacker would need to get a carefully-crafted certificate signed by an
authority that the Puppet master and clients trust. (CVE-2013-4073)

Users of Red Hat OpenStack 3.0 (Grizzly) are advised to upgrade to these
updated packages, which correct this issue. After installing the update,
the puppetmaster service must be restarted on the Puppet master server,
and the puppet service must be restarted on all clients that run the
Puppet agent as a daemon.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat OpenStack 3.0

File outdated by:  RHSA-2014:0011
    MD5: ceaa551851bfa4b9827439d5cd234648
SHA-256: 9e17f27dfd1ad375a33e73816d495516a68557ab18e296c2827e4c2e9639ec27
File outdated by:  RHSA-2014:0011
    MD5: b64db795fd631fdd2085b1f0c7da73fe
SHA-256: c79bc85245dd9802583f810eba2f8d07e56c98fc2b8324c98fb5cd222d92056e
File outdated by:  RHSA-2014:0011
    MD5: e488034b9c6cc8a6d6321edd0759c1f0
SHA-256: ca45f76f43b8a33538f5653a85e32ff17833d1a4f891c50b05d359a094218035
File outdated by:  RHSA-2014:0011
    MD5: 69eecb39881e07d56f659a919b121e9d
SHA-256: 5c2ab090cce715902328d1d276106b4cd3c0f9e728cc0de4a7e4ef57a639f8c2
File outdated by:  RHSA-2014:0011
    MD5: 26f176a0b4ae3fc63586dea35dd9da52
SHA-256: f64f14556d172c299c6ad3b9c8c1010d465ed231c04c880cc4cdde581205c3cf
File outdated by:  RHSA-2014:0011
    MD5: 13c1de804e7c7059dafe6fc444ad9fcc
SHA-256: 47823dd6bf550587fcf5b5daff1747cc10a5b3bccb5431dd5adf42cabb01239a
File outdated by:  RHSA-2014:0011
    MD5: 0932443e9ce1d36e5404ebde1b5a96a0
SHA-256: 3ac85f7b7b9e1a57f053ca78d21885644c1ca2a423d2b888c36115b479f03ae0
File outdated by:  RHSA-2014:0011
    MD5: 1e7e524f9735d265e733322d6df6999f
SHA-256: 49b2739acd2ac7e81dd8280cec95b892c1386b131f0b92a952eda291328708f0
File outdated by:  RHSA-2014:0011
    MD5: 050542dfcd9b41ce91b5c5d06d1648a7
SHA-256: 31b7f095e732e4c76d9d1ba60cec66f4e5c47328f1844569efa702903bb9e3f3
File outdated by:  RHSA-2014:0011
    MD5: 82ec0c00750af2f2db34fb57f8bb1eb2
SHA-256: 8355f071cc3bbb56afc93495b8b4ec044656d2427c8fa8305a481741fd214338
File outdated by:  RHSA-2014:0011
    MD5: e4b2d973559dde1d7847d7f7569ce44e
SHA-256: 85c66a3b4bca1bc5b1d58decd6fd1cf13bb3fb284665ac154ab47038f015b7a3
File outdated by:  RHSA-2014:0011
    MD5: 805b2ab14beedfec3657b01c83c83b36
SHA-256: 0c9f759b6e461bbcd309d89afb0021585b1df0c79c733c77d03eade04fdd234b
File outdated by:  RHSA-2014:0011
    MD5: 5cf115f9527f086ae671467e427ff596
SHA-256: 37b8207e009d663da371ce47392697d4ef6f1233bce9996e52233ba6396f5ac9
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

979251 - CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at