From 96444ea340a3642b882a53fd5258b9531853d44b Mon Sep 17 00:00:00 2001 From: Charles Oliver Nutter Date: Wed, 7 May 2025 09:18:03 -0500 Subject: [PATCH 1/3] Verify hostname by default This was disabled years ago while we were adding support for it, but it has been working for some time now. This patch re-enables hostname verification by default. This addresses CVE-2025-46551 and GHSA-72qj-48g4-5xgx. Users can work around this by applying this patch manually to their own jruby-openssl and jruby installs, or by re-enabling hostname verification with the following code early in application boot: ```ruby require 'openssl' OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_hostname] = true ``` --- lib/openssl/ssl.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index b77f0b52..991f05e3 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -20,7 +20,7 @@ class SSLContext DEFAULT_PARAMS = { # :nodoc: :min_version => OpenSSL::SSL::TLS1_VERSION, :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity + :verify_hostname => true, :options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION } From 7d037ad67fd893f276c5b6d17ab645065ac02923 Mon Sep 17 00:00:00 2001 From: Charles Oliver Nutter Date: Wed, 7 May 2025 09:45:24 -0500 Subject: [PATCH 2/3] Update history for 0.15.4 --- History.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/History.md b/History.md index 33f645a4..58df9745 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,7 @@ +## 0.15.4 + +* [fix] Verify hostname by default (CVE-2025-46551) + ## 0.15.3 * [fix] keep curve name when group is set into another key From 4a83566842a5da9437220148b0601a4fe305dbc9 Mon Sep 17 00:00:00 2001 From: Charles Oliver Nutter Date: Wed, 7 May 2025 09:46:58 -0500 Subject: [PATCH 3/3] Update version for 0.15.4 --- lib/jopenssl/version.rb | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/jopenssl/version.rb b/lib/jopenssl/version.rb index 3a84cdf9..c635b8f5 100644 --- a/lib/jopenssl/version.rb +++ b/lib/jopenssl/version.rb @@ -1,5 +1,5 @@ module JOpenSSL - VERSION = '0.15.3' + VERSION = '0.15.4' BOUNCY_CASTLE_VERSION = '1.79' end diff --git a/pom.xml b/pom.xml index ac6278e6..bb01f0f1 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ DO NOT MODIFY - GENERATED CODE 4.0.0 rubygems jruby-openssl - 0.15.3 + 0.15.4 gem JRuby OpenSSL JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library.