[DRE-maint] Bug#1038408: ruby3.1: CVE-2023-28755 CVE-2023-28756

Salvatore Bonaccorso carnil at debian.org
Sat Jun 17 20:44:42 BST 2023


Source: ruby3.1
Version: 3.1.2-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for ruby3.1.

CVE-2023-28755[0]:
| A ReDoS issue was discovered in the URI component through 0.12.0 in
| Ruby through 3.2.1. The URI parser mishandles invalid URLs that have
| specific characters. It causes an increase in execution time for
| parsing strings to URI objects. The fixed versions are 0.12.1,
| 0.11.1, 0.10.2 and 0.10.0.1.


CVE-2023-28756[1]:
| A ReDoS issue was discovered in the Time component through 0.2.1 in
| Ruby through 3.2.1. The Time parser mishandles invalid URLs that
| have specific characters. It causes an increase in execution time
| for parsing strings to Time objects. The fixed versions are 0.1.1
| and 0.2.2.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28755
    https://www.cve.org/CVERecord?id=CVE-2023-28755
[1] https://security-tracker.debian.org/tracker/CVE-2023-28756
    https://www.cve.org/CVERecord?id=CVE-2023-28756

Regards,
Salvatore



More information about the Pkg-ruby-extras-maintainers mailing list