Bug 1209891 (CVE-2023-28755) - VUL-0: CVE-2023-28755: ruby2.5,ruby3.1,ruby3.2,rubygem-uri: ReDoS vulnerability in URI
Summary: VUL-0: CVE-2023-28755: ruby2.5,ruby3.1,ruby3.2,rubygem-uri: ReDoS vulnerabili...
Status: NEW
Alias: CVE-2023-28755
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/361743/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-28755:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-29 11:16 UTC by Robert Frohl
Modified: 2024-05-17 12:00 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mrueckert)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-03-29 11:16:22 UTC
CVE-2023-28755:

We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.


Details:

A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.

The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability.


Recommended action:

We recommend to update the uri gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

    For Ruby 2.7: Update to uri 0.10.0.1
    For Ruby 3.0: Update to uri 0.10.2
    For Ruby 3.1: Update to uri 0.11.1
    For Ruby 3.2: Update to uri 0.12.1

You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.1" (or other version mentioned above) to your Gemfile.


Affected versions:

    uri gem 0.12.0
    uri gem 0.11.0
    uri gem 0.10.1
    uri gem 0.10.0 or before


Credits:

Thanks to Dominic Couture for discovering this issue.

https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
Comment 3 OBSbugzilla Bot 2023-03-30 16:05:02 UTC
This is an autogenerated message for OBS integration:
This bug (1209891) was mentioned in
https://build.opensuse.org/request/show/1075579 Factory / ruby3.2
Comment 9 Cathy Hu 2023-06-30 09:29:54 UTC
there was another CVE (CVE-2023-36617) reported due to an incomplete fix for this one, please check bsc#1212890 for more information
Comment 11 Maintenance Automation 2023-10-24 16:30:37 UTC
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1193035, 1205726, 1209891, 1209967
CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756
Sources used:
openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1
openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1
Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1
SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.