Source: ruby-addressable X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for ruby-addressable. CVE-2021-32740[0]: | Addressable is an alternative implementation to the URI implementation | that is part of Ruby's standard library. An uncontrolled resource | consumption vulnerability exists after version 2.3.0 through version | 2.7.0. Within the URI template implementation in Addressable, a | maliciously crafted template may result in uncontrolled resource | consumption, leading to denial of service when matched against a URI. | In typical usage, templates would not normally be read from untrusted | user input, but nonetheless, no previous security advisory for | Addressable has cautioned against doing this. Users of the parsing | capabilities in Addressable but not the URI template capabilities are | unaffected. The vulnerability is patched in version 2.8.0. As a | workaround, only create Template objects from trusted sources that | have been validated not to produce catastrophic backtracking. https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32740 Please adjust the affected versions in the BTS as needed.