14 DAY TRIAL // Ruby 2.0.0 patchlevel 247, Ruby 1.9.3 patchlevel 448 and Ruby 1.8.7 patchlevel 374 have been released on Thursday to address a hostname check bypassing security hole in the SSL client.
The vulnerability – identified by William Snow Orvis of iSEC Partners – can be exploited by cybercriminals to launch man-in-the-middle attacks to spoof SSL servers via valid certificates issued by a trusted certificate authority.
“When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org\0.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers,” the vulnerability advisory reads.
Users are advised to update their installations as soon as possible, since all earlier versions of Ruby are affected.
Ruby is available for download here.