Http gem needs to be updated for security reasons

[Metallion]

Hi all

I'm one of the developers for OpenVNet, a project that implements DCell. Github has brought to our attention that the Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which makes it vulnerable to man in the middle attacks.

Since the newest version of DCell still freezes http at 0.5.x, I tried to update it myself. Updating the gem to its most recent version 3.0.0 gave me the following error:

Apr 10 06:02:08 ci vnet-vnmgr[5717]: D, [2018-04-10T06:02:08.253041 #5721] DEBUG -- : Terminating 4 actors...
Apr 10 06:02:08 ci vnet-vnmgr[5717]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:3:in `<class:Response>': uninitialized constant HTTP::Header (NameError)
Apr 10 06:02:08 ci vnet-vnmgr[5717]: Did you mean?  HTTP::Headers
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:2:in `<module:Reel>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel/response.rb:1:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/reel-0.4.0/lib/reel.rb:18:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from /home/kemumaki/dcell/lib/dcell.rb:2:in `<top (required)>'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `require'
Apr 10 06:02:08 ci vnet-vnmgr[5717]: from ./bin/vnmgr:8:in `<main>'

I figured a newer version of reel might have adjusted to any changes in the http gem so I updated reel to its newest version 0.6.1. The error changed to the following.

Apr 10 06:05:50 ci vnet-vnmgr[5770]: /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/tasks/task_fiber.rb:34:in `terminate': task was terminated (Celluloid::Task::TerminatedError)
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `each'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:345:in `cleanup'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:329:in `shutdown'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:321:in `handle_crash'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:166:in `rescue in run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:148:in `run'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:130:in `block in start'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/thread_handle.rb:13:in `block in initialize'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/actor_system.rb:32:in `block in get_thread'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/internal_pool.rb:130:in `block in create'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from (celluloid):0:in `remote procedure call'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:92:in `value'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/sync_proxy.rb:33:in `method_missing'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/proxies/cell_proxy.rb:17:in `_send_'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:169:in `new'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid/supervisor.rb:16:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from /opt/axsh/openvnet/vnet/vendor/bundle/ruby/2.3.0/gems/celluloid-0.16.0/lib/celluloid.rb:194:in `supervise_as'
Apr 10 06:05:50 ci vnet-vnmgr[5770]: from ./bin/vnmgr:33:in `<main>'

I had a look at the celluloid code in the stacktrace but it seems like it's generic code to handle any crashes. It looks like updating the http gem will require some deeper knowledge of how DCell and Celluloid interact so I was wondering if could get some help with this.

Thanks in advance
~Metallion

[baob]

I would also like to see DCell upgraded to support http > 0.7.3 in response to this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2015-1828