CVE-2011-4121

Publication date 26 November 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.

Read the notes from the security team

Status

Package Ubuntu Release Status
ruby1.9.1 11.10 oneiric
Not affected
11.04 natty
Not affected
10.10 maverick
Not affected
10.04 LTS lucid
Not affected
8.04 LTS hardy Not in release

Notes


jdstrand

ruby1.8 and ruby1.9 not affected. ruby1.9.1 only affected. This seems to only be a problem in a pre-release version of ruby 1.9.4.0 introduced in http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=33155 fix is http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=33633

Severity score breakdown

Parameter Value
Base score 9.8 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H