https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756. Details The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects. A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7. https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755. Details A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability.
Fixed in ruby 2.7.8, ruby 3.0.6, ruby 3.1.4 and ruby 3.2.2, and in dev-ruby/time-0.2.2. URI is only shipped bundled with dev-lang/ruby at the moment. Given that upstream likes to mix in other fixes with security updates I'd like to wait a couple of days before filing a stable bug.
Cleanup done.
(In reply to Hans de Graaff from comment #2) > Cleanup done. Not for 2.7.x?
(In reply to John Helmert III from comment #3) > (In reply to Hans de Graaff from comment #2) > > Cleanup done. > > Not for 2.7.x? That version was already masked for removal, IIRC.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48 commit aea6781bb25fe500e38a2cfce23bf166d29cbf48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:47 +0000 [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities Bug: https://bugs.gentoo.org/747007 Bug: https://bugs.gentoo.org/801061 Bug: https://bugs.gentoo.org/827251 Bug: https://bugs.gentoo.org/838073 Bug: https://bugs.gentoo.org/882893 Bug: https://bugs.gentoo.org/903630 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)