Source: ruby-fugit X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ruby-fugit. CVE-2024-43380[0]: | fugit contains time tools for flor and the floraison group. The | fugit "natural" parser, that turns "every wednesday at 5pm" into "0 | 17 * * 3", accepted any length of input and went on attempting to | parse it, not returning promptly, as expected. The parse call could | hold the thread with no end in sight. Fugit dependents that do not | check (user) input length for plausibility are impacted. A fix was | released in fugit 1.11.1. https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g https://github.com/floraison/fugit/issues/104 https://github.com/floraison/fugit/commit/6a7527497c0bb9196efe503e3d9b5271128a8ee1 (v1.11.1) https://github.com/floraison/fugit/commit/2a11805444d9ed036ee8570b88cd2b6df450ee84 (v1.11.1) https://github.com/floraison/fugit/commit/a9a262873450eaf5671747f846a6ec1e5f7d87c1 (v1.11.1) https://github.com/floraison/fugit/commit/025ad7bb76590d3360750d5617b235a23908e5bb (v1.11.1) https://github.com/floraison/fugit/commit/767ef550281bcdc8782233840f98cf8487340476 (v1.11.1) https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5 (v1.11.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43380 https://www.cve.org/CVERecord?id=CVE-2024-43380 Please adjust the affected versions in the BTS as needed.