Bugzilla – Bug 1209967
VUL-0: CVE-2023-28756: ruby: ReDoS vulnerability in Time
Last modified: 2023-12-11 07:41:06 UTC
We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756. Details: The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects. A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7. Recommended action: We recommend to update the time gem to version 0.2.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0 users: Update to time 0.1.1 For Ruby 3.1/3.2 users: Update to time 0.2.2 You can use gem update time to update it. If you are using bundler, please add gem "time", ">= 0.2.2" to your Gemfile. Unfortunately, time gem only works with Ruby 3.0 or later. If you are using Ruby 2.7, please use the latest version of Ruby. Affected versions: Ruby 2.7.7 or lower time gem 0.1.0 time gem 0.2.1 Credits: Thanks to ooooooo_q for discovering this issue. https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
https://github.com/ruby/time/commit/2444456fc1ad8f84ba01b50fa01d44ae8b1cd00a https://github.com/ruby/time/commit/51034bda4c1d9977e0d49bd6329eed9ed6ca19c9
This is an autogenerated message for OBS integration: This bug (1209967) was mentioned in https://build.opensuse.org/request/show/1075579 Factory / ruby3.2
SUSE-SU-2023:4176-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1193035, 1205726, 1209891, 1209967 CVE References: CVE-2021-33621, CVE-2021-41817, CVE-2023-28755, CVE-2023-28756 Sources used: openSUSE Leap 15.4 (src): ruby2.5-2.5.9-150000.4.29.1 openSUSE Leap 15.5 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP4 (src): ruby2.5-2.5.9-150000.4.29.1 Basesystem Module 15-SP5 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Proxy 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Retail Branch Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Manager Server 4.2 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE Enterprise Storage 7.1 (src): ruby2.5-2.5.9-150000.4.29.1 SUSE CaaS Platform 4.0 (src): ruby2.5-2.5.9-150000.4.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.