Ruby has issued advisories on March 28: https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ The issues are fixed upstream in Ruby 3.1.4 and ruby-time 0.2.2: https://www.ruby-lang.org/en/news/2023/03/30/ruby-3-1-4-released/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in ruby 3.1.4 and ruby-time 0.2.2
ruby 3.1.4 submitted for cauldron/updates_testing and move requested ruby-time 0.2.2 submitted for cauldron/updates_testing and move requested ruby 2.7.8 submitted for 8/updates_testing Test for CVE-2023-28755: Before, time is exponential: $ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done real 0m0.859s user 0m0.858s sys 0m0.000s real 0m3.216s user 0m3.205s sys 0m0.010s real 0m13.181s user 0m13.171s sys 0m0.010s After, it no longer get slower as the number grows: $ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done real 0m0.059s user 0m0.058s sys 0m0.000s real 0m0.058s user 0m0.058s sys 0m0.000s real 0m0.065s user 0m0.065s sys 0m0.000s
Test for CVE-2023-28756: Before, time is exponential: $ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done real 0m1.147s user 0m1.147s sys 0m0.000s real 0m4.510s user 0m4.500s sys 0m0.010s real 0m17.502s user 0m17.492s sys 0m0.010s After, it no longer get slower as the number grows: $ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done real 0m0.050s user 0m0.050s sys 0m0.000s real 0m0.049s user 0m0.049s sys 0m0.000s real 0m0.051s user 0m0.051s sys 0m0.000s
ruby-2.7.8-33.6.mga8 libruby2.7-2.7.8-33.6.mga8 ruby-rdoc-6.2.1.1-33.6.mga8 ruby-devel-2.7.8-33.6.mga8 ruby-bundler-2.2.24-33.6.mga8 ruby-RubyGems-3.1.2-33.6.mga8 ruby-openssl-2.1.4-33.6.mga8 ruby-test-unit-3.3.4-33.6.mga8 ruby-rake-13.0.1-33.6.mga8 ruby-irb-2.7.8-33.6.mga8 ruby-psych-3.1.0-33.6.mga8 ruby-bigdecimal-2.0.0-33.6.mga8 ruby-json-2.3.0-33.6.mga8 ruby-xmlrpc-0.3.0-33.6.mga8 ruby-net-telnet-0.2.0-33.6.mga8 ruby-io-console-0.5.6-33.6.mga8 ruby-power_assert-1.1.7-33.6.mga8 ruby-did_you_mean-1.4.0-33.6.mga8 ruby-doc-2.7.8-33.6.mga8 from ruby-2.7.8-33.6.mga8.src.rpm
Fedora has issued an advisory for this on April 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
Severity: normal => major
Ubuntu has issued an advisory for this on May 4: https://ubuntu.com/security/notices/USN-6055-1
(In reply to David Walser from comment #5) > Ubuntu has issued an advisory for this on May 4: > https://ubuntu.com/security/notices/USN-6055-1 and a regression fix on May 5: https://ubuntu.com/security/notices/USN-6055-2
Ubuntu has issued an advisory for this on May 18: https://ubuntu.com/security/notices/USN-6087-1
Debian-LTS has issued an advisory for this on June 6: https://www.debian.org/lts/security/2023/dla-3447
Ubuntu has issued an advisory for this today (June 21): https://ubuntu.com/security/notices/USN-6181-1
Also note there's CVE-2023-36617, due to an incomplete fix for CVE-2023-28755: https://ubuntu.com/security/notices/USN-6219-1 https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
Mageia 8, x86_64 Missed this one somehow. Before the update: CVE-2023-28755 $ for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done real 0m1.677s user 0m1.659s sys 0m0.015s real 0m7.592s user 0m7.580s sys 0m0.012s real 0m31.993s user 0m31.980s sys 0m0.012s CVE-2023-28756 $ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done real 0m1.265s user 0m1.251s sys 0m0.012s real 0m4.795s user 0m4.786s sys 0m0.008s real 0m18.995s user 0m18.985s sys 0m0.009s After the update: CVE-2023-28755: for t in 5 10 20; do time ruby -ruri -e 'begin; URI.parse("https://example.com/dir/" + "a" * '$t'0000 + "/##.jpg"); rescue URI::InvalidURIError; end'; done real 0m0.085s user 0m0.074s sys 0m0.011s real 0m0.082s user 0m0.068s sys 0m0.014s real 0m0.061s user 0m0.051s sys 0m0.010s CVE-2023-28756: $ for t in 5 10 20; do time ruby -rtime -e 'begin; Time.rfc2822("0 Feb 00 00 :00" + " " * '$t'000); rescue ArgumentError; end'; done real 0m0.079s user 0m0.065s sys 0m0.014s real 0m0.045s user 0m0.029s sys 0m0.016s real 0m0.084s user 0m0.070s sys 0m0.014s Those issues are fixed for Mageia 8.
CC: (none) => tarazed25Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
Referring to comment 11; Final ruby installation contains: lib64ruby2.7-2.7.8-33.6.mga8 ruby-json-2.3.0-33.6.mga8 ruby-xmlrpc-0.3.0-33.6.mga8 ruby-io-console-0.5.6-33.6.mga8 ruby-test-unit-3.3.4-33.6.mga8 ruby-devel-2.7.8-33.6.mga8 ruby-openssl-2.1.4-33.6.mga8 ruby-power_assert-1.1.7-33.6.mga8 ruby-tk-0.2.0-6.mga8 ruby-bigdecimal-2.0.0-33.6.mga8 ruby-bundler-2.2.24-33.6.mga8 ruby-did_you_mean-1.4.0-33.6.mga8 ruby-irb-2.7.8-33.6.mga8 ruby-rdoc-6.2.1.1-33.6.mga8 ruby-doc-2.7.8-33.6.mga8 ruby-psych-3.1.0-33.6.mga8 ruby-2.7.8-33.6.mga8 ruby-RubyGems-3.1.2-33.6.mga8 ruby-net-telnet-0.2.0-33.6.mga8 ruby-rake-13.0.1-33.6.mga8
Mageia 8 EOL
Resolution: (none) => OLDStatus: NEW => RESOLVEDCC: (none) => nicolas.salguero