[DRE-maint] Bug#964274: ruby-websocket-extensions: CVE-2020-7663
Salvatore Bonaccorso
carnil at debian.org
Sat Jul 4 20:41:22 BST 2020
Source: ruby-websocket-extensions
Version: 0.1.2-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for ruby-websocket-extensions.
CVE-2020-7663[0]:
| websocket-extensions ruby module prior to 0.1.5 allows Denial of
| Service (DoS) via Regex Backtracking. The extension parser may take
| quadratic time when parsing a header containing an unclosed string
| parameter value whose content is a repeating two-byte sequence of a
| backslash and some other character. This could be abused by an
| attacker to conduct Regex Denial Of Service (ReDoS) on a single-
| threaded server by providing a malicious payload with the Sec-
| WebSocket-Extensions header.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663
[1] https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
[2] https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list