Skip to content
This repository has been archived by the owner on Dec 7, 2018. It is now read-only.

Http gem needs to be updated for security reasons #111

Open
Metallion opened this issue Apr 10, 2018 · 1 comment
Open

Http gem needs to be updated for security reasons #111

Metallion opened this issue Apr 10, 2018 · 1 comment

Comments

@Metallion
Copy link

Hi all

I'm one of the developers for OpenVNet, a project that implements DCell. Github has brought to our attention that the Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which makes it vulnerable to man in the middle attacks.

Since the newest version of DCell still freezes http at 0.5.x, I tried to update it myself. Updating the gem to its most recent version 3.0.0 gave me the following error:

Apr 10 06:02:08 ci vnet-vnmgr[5717]: D, [2018-04-10T06:02:08.253041 #5721] DEBUG -- : Terminating 4 actors...
Apr 10 06:02:08 ci vnet-vnmgr[5717]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:3:in `<class:Response>': uninitialized constant HTTP::Header (NameError)
Apr 10 06:02:08 ci vnet-vnmgr[5717]: Did you mean?  HTTP::Headers
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:2:in `<module:Reel>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:1:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `<main>'

I figured a newer version of reel might have adjusted to any changes in the http gem so I updated reel to its newest version 0.6.1. The error changed to the following.

Apr 10 06:05:50 ci vnet-vnmgr[5770]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/tasks/task_fiber.rb:34:in `terminate': task was terminated (Celluloid::Task::TerminatedError)
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `each'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `cleanup'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:329:in `shutdown'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:321:in `handle_crash'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:166:in `rescue in run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:148:in `run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:130:in `block in start'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/thread_handle.rb:13:in `block in initialize'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor_system.rb:32:in `block in get_thread'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/internal_pool.rb:130:in `block in create'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from (celluloid):0:in `remote procedure call'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:92:in `value'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/sync_proxy.rb:33:in `method_missing'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/cell_proxy.rb:17:in `_send_'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:169:in `new'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/supervisor.rb:16:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:194:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from ./bin/vnmgr:33:in `<main>'

I had a look at the celluloid code in the stacktrace but it seems like it's generic code to handle any crashes. It looks like updating the http gem will require some deeper knowledge of how DCell and Celluloid interact so I was wondering if could get some help with this.

Thanks in advance
~Metallion
@baob
Copy link

baob commented Dec 6, 2018

I would also like to see DCell upgraded to support http > 0.7.3 in response to this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2015-1828

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@baob @Metallion