[DRE-maint] Bug#689069: rubygems: RubyGems should use ca-certificates for SSL verification
Tyler Hicks
tyhicks at canonical.com
Fri Sep 28 21:30:14 UTC 2012
Package: rubygems
Version: 1.8.24-1
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
While I was preparing an Ubuntu rubygems update for CVE-2012-2126, I
noticed that rubygems-1.8.24-1 included its own trusted CA certificate
bundle, rather than using the bundle from ca-certificates, to do server
certificate verification in the gem fetcher.
In Ubuntu, the attached patch was applied to achieve the following:
* Make the RubyGems fetcher use distro-provided ca-certificates
(LP: #1057926)
- debian/control: Add ca-certificates to rubygems depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rubygems_1.8.24-1ubuntu1.debdiff
Type: text/x-diff
Size: 3083 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120928/2cecdc6e/attachment-0001.diff>
More information about the Pkg-ruby-extras-maintainers
mailing list