Source: ruby3.1 Version: 3.1.2-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for ruby3.1. CVE-2023-28755[0]: | A ReDoS issue was discovered in the URI component through 0.12.0 in | Ruby through 3.2.1. The URI parser mishandles invalid URLs that have | specific characters. It causes an increase in execution time for | parsing strings to URI objects. The fixed versions are 0.12.1, | 0.11.1, 0.10.2 and 0.10.0.1. CVE-2023-28756[1]: | A ReDoS issue was discovered in the Time component through 0.2.1 in | Ruby through 3.2.1. The Time parser mishandles invalid URLs that | have specific characters. It causes an increase in execution time | for parsing strings to Time objects. The fixed versions are 0.1.1 | and 0.2.2. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28755 https://www.cve.org/CVERecord?id=CVE-2023-28755 [1] https://security-tracker.debian.org/tracker/CVE-2023-28756 https://www.cve.org/CVERecord?id=CVE-2023-28756 Regards, Salvatore