search

celluloid / dcell

UNMAINTAINED: See celluloid/celluloid#779 - Actor-based distributed objects in Ruby based on Celluloid and 0MQ
http://celluloid.io
MIT License
595 stars 65 forks source link

Http gem needs to be updated for security reasons #111

Open Metallion opened 6 years ago

Metallion commented 6 years ago

Hi all

I'm one of the developers for OpenVNet, a project that implements DCell. Github has brought to our attention that the Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which makes it vulnerable to man in the middle attacks.

Since the newest version of DCell still freezes http at 0.5.x, I tried to update it myself. Updating the gem to its most recent version 3.0.0 gave me the following error:

Apr 10 06:02:08 ci vnet-vnmgr[5717]: D, [2018-04-10T06:02:08.253041 #5721] DEBUG -- : Terminating 4 actors...
Apr 10 06:02:08 ci vnet-vnmgr[5717]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:3:in `<class:Response>': uninitialized constant HTTP::Header (NameError)
Apr 10 06:02:08 ci vnet-vnmgr[5717]: Did you mean?  HTTP::Headers
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:2:in `<module:Reel>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:1:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `<main>'

I figured a newer version of reel might have adjusted to any changes in the http gem so I updated reel to its newest version 0.6.1. The error changed to the following.

Apr 10 06:05:50 ci vnet-vnmgr[5770]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/tasks/task_fiber.rb:34:in `terminate': task was terminated (Celluloid::Task::TerminatedError)
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `each'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `cleanup'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:329:in `shutdown'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:321:in `handle_crash'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:166:in `rescue in run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:148:in `run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:130:in `block in start'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/thread_handle.rb:13:in `block in initialize'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor_system.rb:32:in `block in get_thread'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/internal_pool.rb:130:in `block in create'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from (celluloid):0:in `remote procedure call'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:92:in `value'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/sync_proxy.rb:33:in `method_missing'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/cell_proxy.rb:17:in `_send_'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:169:in `new'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/supervisor.rb:16:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:194:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from ./bin/vnmgr:33:in `<main>'

I had a look at the celluloid code in the stacktrace but it seems like it's generic code to handle any crashes. It looks like updating the http gem will require some deeper knowledge of how DCell and Celluloid interact so I was wondering if could get some help with this.

Thanks in advance ~Metallion

baob commented 5 years ago

I would also like to see DCell upgraded to support http > 0.7.3 in response to this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2015-1828