jruby-openssl Gem for JRuby fails to do proper certificate validation

Metadata

unknown
unknown
jruby-openssl
CVE-2009-4123
jruby.org
2009-12-07
2017-04-01 19:11
2017-01-05 20:15

Description

A security problem involving peer certificate verification was found where
failed verification silently did nothing, making affected applications
vulnerable to attackers. Attackers could lead a client application to believe
that a secure connection to a rogue SSL server is legitimate. Attackers could
also penetrate client-validated SSL server applications with a dummy
certificate.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
jruby-openssl >= 0.6 None