♊️ GemiNews 🗞️
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
<p>We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2023-36617">CVE-2023-36617</a>.</p> <h2>Details</h2> <p>A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.</p> <p>NOTE: this issue exists because of an incomplete fix for <a href="https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/">CVE-2023-28755</a>.</p> <p>The <code class="language-plaintext highlighter-rouge">uri</code> gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.</p> <h2>Recommended action</h2> <p>We recommend to update the <code class="language-plaintext highlighter-rouge">uri</code> gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.10.3</li> <li>For Ruby 3.1: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.12.2</li> <li>For Ruby 3.2: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.12.2, or update to Ruby 3.2.3</li> </ul> <p>You can use <code class="language-plaintext highlighter-rouge">gem update uri</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "uri", ">= 0.12.2"</code> (or other version mentioned above) to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <h2>Affected versions</h2> <ul> <li>uri gem 0.12.1 or before</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/ooooooo_q">ooooooo_q</a> for discovering this issue.</p> <p>Thanks to <a href="https://github.com/nobu">nobu</a> for fixing this issue.</p> <h2>History</h2> <ul> <li>Added a new recommended action for Ruby 3.2 at 2024-01-18 12:00:00 (UTC)</li> <li>Originally published at 2023-06-29 01:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 29 Jun 2023</p>
Content
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry published: 2023-06-29 01:00:00.000000000 Z carlessian_info: news_filer_version: 2 newspaper: Ruby (EN RSS) macro_region: Technology entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier guid: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/ title: 'CVE-2023-36617: ReDoS vulnerability in URI' categories: [] summary: |- <p>We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2023-36617">CVE-2023-36617</a>.</p> <h2>Details</h2> <p>A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.</p> <p>NOTE: this issue exists because of an incomplete fix for <a href="https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/">CVE-2023-28755</a>.</p> <p>The <code class="language-plaintext highlighter-rouge">uri</code> gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.</p> <h2>Recommended action</h2> <p>We recommend to update the <code class="language-plaintext highlighter-rouge">uri</code> gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.10.3</li> <li>For Ruby 3.1: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.12.2</li> <li>For Ruby 3.2: Update to <code class="language-plaintext highlighter-rouge">uri</code> 0.12.2, or update to Ruby 3.2.3</li> </ul> <p>You can use <code class="language-plaintext highlighter-rouge">gem update uri</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "uri", ">= 0.12.2"</code> (or other version mentioned above) to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <h2>Affected versions</h2> <ul> <li>uri gem 0.12.1 or before</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/ooooooo_q">ooooooo_q</a> for discovering this issue.</p> <p>Thanks to <a href="https://github.com/nobu">nobu</a> for fixing this issue.</p> <h2>History</h2> <ul> <li>Added a new recommended action for Ruby 3.2 at 2024-01-18 12:00:00 (UTC)</li> <li>Originally published at 2023-06-29 01:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 29 Jun 2023</p> rss_fields: - title - url - summary - published - entry_id url: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
Language
Active
Ricc internal notes
Imported via /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-04-03 16:31:18 +0200. Content is EMPTY here. Entried: title,url,summary,published,entry_id. TODO add Newspaper: filename = /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Technology/Ruby (EN RSS)/2023-06-29-CVE-2023-36617:_ReDoS_vulnerability_in_URI-v2.yaml
Ricc source
Show this article
Back to articles