Bugzilla – Bug 1209891
VUL-0: CVE-2023-28755: ruby2.5,ruby3.1,ruby3.2,rubygem-uri: ReDoS vulnerability in URI
Last modified: 2024-05-17 12:00:45 UTC
CVE-2023-28755: We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755. Details: A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability. Recommended action: We recommend to update the uri gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: For Ruby 2.7: Update to uri 0.10.0.1 For Ruby 3.0: Update to uri 0.10.2 For Ruby 3.1: Update to uri 0.11.1 For Ruby 3.2: Update to uri 0.12.1 You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.1" (or other version mentioned above) to your Gemfile. Affected versions: uri gem 0.12.0 uri gem 0.11.0 uri gem 0.10.1 uri gem 0.10.0 or before Credits: Thanks to Dominic Couture for discovering this issue. https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
This is an autogenerated message for OBS integration: This bug (1209891) was mentioned in https://build.opensuse.org/request/show/1075579 Factory / ruby3.2
there was another CVE (CVE-2023-36617) reported due to an incomplete fix for this one, please check bsc#1212890 for more information
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1193035, 1205726, 1209891, 1209967 CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756 Sources used: openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1 openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.