[DRE-maint] Bug#990791: ruby-addressable: CVE-2021-32740
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 7 16:36:31 BST 2021
Source: ruby-addressable
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ruby-addressable.
CVE-2021-32740[0]:
| Addressable is an alternative implementation to the URI implementation
| that is part of Ruby's standard library. An uncontrolled resource
| consumption vulnerability exists after version 2.3.0 through version
| 2.7.0. Within the URI template implementation in Addressable, a
| maliciously crafted template may result in uncontrolled resource
| consumption, leading to denial of service when matched against a URI.
| In typical usage, templates would not normally be read from untrusted
| user input, but nonetheless, no previous security advisory for
| Addressable has cautioned against doing this. Users of the parsing
| capabilities in Addressable but not the URI template capabilities are
| unaffected. The vulnerability is patched in version 2.8.0. As a
| workaround, only create Template objects from trusted sources that
| have been validated not to produce catastrophic backtracking.
https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32740
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-ruby-extras-maintainers
mailing list