diff options
| author | Yasuhiro Kimura <yasu@FreeBSD.org> | 2023-03-30 16:53:02 +0000 |
|---|---|---|
| committer | Yasuhiro Kimura <yasu@FreeBSD.org> | 2023-03-30 21:27:40 +0000 |
| commit | 52306be2973467a9d46978ae902529e13e1f49f7 (patch) | |
| tree | 72fcc2752a2648d15007fc9d9b7994642dab4ef6 /security/vuxml/vuln/2023.xml | |
| parent | 81860ddd68cf34152d7b695a842b0646ea9b50c5 (diff) | |
| download | ports-52306be2973467a9d46978ae902529e13e1f49f7.tar.gz ports-52306be2973467a9d46978ae902529e13e1f49f7.zip | |
security/vuxml: Document ReDoS vulnerability in rubygem-time
Diffstat (limited to 'security/vuxml/vuln/2023.xml')
| -rw-r--r-- | security/vuxml/vuln/2023.xml | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 9e0b414465ca..7603d7d53531 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,56 @@ + <vuln vid="6bd2773c-cf1a-11ed-bd44-080027f5fec9"> + <topic>rubygem-time -- ReDoS vulnerability</topic> + <affects> + <package> + <name>ruby</name> + <range><ge>2.7.0,1</ge><lt>2.7.8,1</lt></range> + <range><ge>3.0.0,1</ge><lt>3.0.6,1</lt></range> + <range><ge>3.1.0,1</ge><lt>3.1.4,1</lt></range> + <range><ge>3.2.0.p1,1</ge><lt>3.2.2,1</lt></range> + </package> + <package> + <name>ruby27</name> + <range><ge>2.7.0,1</ge><lt>2.7.8,1</lt></range> + </package> + <package> + <name>ruby30</name> + <range><ge>3.0.0,1</ge><lt>3.0.6,1</lt></range> + </package> + <package> + <name>ruby31</name> + <range><ge>3.1.0,1</ge><lt>3.1.4,1</lt></range> + </package> + <package> + <name>ruby32</name> + <range><ge>3.2.0.p1,1</ge><lt>3.2.2,1</lt></range> + </package> + <package> + <name>rubygem-time</name> + <range><lt>0.2.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>ooooooo_q reports:</p> + <blockquote cite="https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/"> + <p> + The Time parser mishandles invalid strings that have + specific characters. It causes an increase in execution + time for parsing strings to Time objects. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-28756</cvename> + <url>https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/</url> + </references> + <dates> + <discovery>2023-03-30</discovery> + <entry>2023-03-30</entry> + </dates> + </vuln> + <vuln vid="9b60bba1-cf18-11ed-bd44-080027f5fec9"> <topic>rubygem-uri -- ReDoS vulnerability</topic> <affects> |