[DRE-maint] Bug#990791: ruby-addressable: CVE-2021-32740

Moritz Mühlenhoff jmm at inutil.org
Wed Jul 7 16:36:31 BST 2021

Source: ruby-addressable
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security


The following vulnerability was published for ruby-addressable.

| Addressable is an alternative implementation to the URI implementation
| that is part of Ruby's standard library. An uncontrolled resource
| consumption vulnerability exists after version 2.3.0 through version
| 2.7.0. Within the URI template implementation in Addressable, a
| maliciously crafted template may result in uncontrolled resource
| consumption, leading to denial of service when matched against a URI.
| In typical usage, templates would not normally be read from untrusted
| user input, but nonetheless, no previous security advisory for
| Addressable has cautioned against doing this. Users of the parsing
| capabilities in Addressable but not the URI template capabilities are
| unaffected. The vulnerability is patched in version 2.8.0. As a
| workaround, only create Template objects from trusted sources that
| have been validated not to produce catastrophic backtracking.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32740

Please adjust the affected versions in the BTS as needed.

More information about the Pkg-ruby-extras-maintainers mailing list