Source: ruby-websocket-extensions Version: 0.1.2-1 Severity: grave Tags: security upstream
Hi, The following vulnerability was published for ruby-websocket-extensions. CVE-2020-7663[0]: | websocket-extensions ruby module prior to 0.1.5 allows Denial of | Service (DoS) via Regex Backtracking. The extension parser may take | quadratic time when parsing a header containing an unclosed string | parameter value whose content is a repeating two-byte sequence of a | backslash and some other character. This could be abused by an | attacker to conduct Regex Denial Of Service (ReDoS) on a single- | threaded server by providing a malicious payload with the Sec- | WebSocket-Extensions header. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663 [1] https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 [2] https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers