โ™Š๏ธ GemiNews ๐Ÿ—ž๏ธ

Demo 1: Embeddings + Recommendation Demo 2: Bella RAGa Demo 3: NewRetriever Demo 4: Assistant function calling

๐Ÿ—ž๏ธCVE-2023-36617: ReDoS vulnerability in URI

๐Ÿ—ฟSemantically Similar Articles (by :title_embedding)

CVE-2023-36617: ReDoS vulnerability in URI

2023-06-29 - (from Ruby (EN RSS))

We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-36617. Details A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists because of an incomplete fix for CVE-2023-28755. The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability. Recommended action We recommend to update the uri gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0: Update to uri 0.10.3 For Ruby 3.1: Update to uri 0.12.2 For Ruby 3.2: Update to uri 0.12.2, or update to Ruby 3.2.3 You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.2" (or other version mentioned above) to your Gemfile. Affected versions uri gem 0.12.1 or before Credits Thanks to ooooooo_q for discovering this issue. Thanks to nobu for fixing this issue. History Added a new recommended action for Ruby 3.2 at 2024-01-18 12:00:00 (UTC) Originally published at 2023-06-29 01:00:00 (UTC) Posted by hsbt on 29 Jun 2023

[Technology] ๐ŸŒŽ https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/

๐Ÿ—ฟarticle.to_s 

------------------------------
Title: CVE-2023-36617: ReDoS vulnerability in URI
Summary: We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability.
This vulnerability has been assigned the CVE identifier CVE-2023-36617.

Details

A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.

NOTE: this issue exists because of an incomplete fix for CVE-2023-28755.

The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.

Recommended action

We recommend to update the uri gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:


  For Ruby 3.0: Update to uri 0.10.3
  For Ruby 3.1: Update to uri 0.12.2
  For Ruby 3.2: Update to uri 0.12.2, or update to Ruby 3.2.3


You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.2" (or other version mentioned above) to your Gemfile.

Affected versions


  uri gem 0.12.1 or before


Credits

Thanks to ooooooo_q for discovering this issue.

Thanks to nobu for fixing this issue.

History


  Added a new recommended action for Ruby 3.2 at 2024-01-18 12:00:00 (UTC)
  Originally published at 2023-06-29 01:00:00 (UTC)


Posted by hsbt on 29 Jun 2023

PublishedDate: 2023-06-29
Category: Technology
NewsPaper: Ruby (EN RSS)
{"id"=>3149,
"title"=>"CVE-2023-36617: ReDoS vulnerability in URI",
"summary"=>"

We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability.\nThis vulnerability has been assigned the CVE identifier CVE-2023-36617.

\n\n

Details

\n\n

A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.

\n\n

NOTE: this issue exists because of an incomplete fix for CVE-2023-28755.

\n\n

The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.

\n\n

Recommended action

\n\n

We recommend to update the uri gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

\n\n
    \n
  • For Ruby 3.0: Update to uri 0.10.3
    • \n
  • For Ruby 3.1: Update to uri 0.12.2
    • \n
  • For Ruby 3.2: Update to uri 0.12.2, or update to Ruby 3.2.3
    • \n
\n\n

You can use gem update uri to update it. If you are using bundler, please add gem \"uri\", \">= 0.12.2\" (or other version mentioned above) to your Gemfile.

\n\n

Affected versions

\n\n
    \n
  • uri gem 0.12.1 or before
    • \n
\n\n

Credits

\n\n

Thanks to ooooooo_q for discovering this issue.

\n\n

Thanks to nobu for fixing this issue.

\n\n

History

\n\n
    \n
  • Added a new recommended action for Ruby 3.2 at 2024-01-18 12:00:00 (UTC)
    • \n
  • Originally published at 2023-06-29 01:00:00 (UTC)
    • \n
\n\n

Posted by hsbt on 29 Jun 2023

",
"content"=>nil,
"author"=>nil,
"link"=>"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/",
"published_date"=>Thu, 29 Jun 2023 01:00:00.000000000 UTC +00:00,
"image_url"=>nil,
"feed_url"=>"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/",
"language"=>nil,
"active"=>true,
"ricc_source"=>"feedjira::v1",
"created_at"=>Wed, 03 Apr 2024 14:31:18.732780000 UTC +00:00,
"updated_at"=>Mon, 13 May 2024 19:02:48.004358000 UTC +00:00,
"newspaper"=>"Ruby (EN RSS)",
"macro_region"=>"Technology"}
Edit this article
Back to articles