[ubuntu/hirsute-security] ruby2.7 2.7.2-4ubuntu1.3 (Accepted)
Leonidas S. Barbosa
leo.barbosa at canonical.com
Tue Jan 18 17:23:21 UTC 2022
ruby2.7 (2.7.2-4ubuntu1.3) hirsute-security; urgency=medium
* SECURITY UPDATE: Buffer overrun
- debian/patches/CVE-2021-41816.patch: fix integer overflow making
sure use of the check in rb_alloc_tmp_buffer2 in
ext/cgi/escape/escape.c.
- CVE-2021-41816
* SECURITY UPDATE: ReDoS vulnerability
- debian/patches/CVE-2021-41817-*.patch: add length limit option
for methods that parses date strings and mimic prev behaviour
in ext/date/date_core.c, test/date/test_date_parse.rb.
- CVE-2021-41817
* SECURITY UPDATE: Mishandles sec prefixes in cookie names
- debian/patches/CVE-2021-41819.patch: when parsing cookies, only
decode the values in lib/cgi/cookie.rb, test/cgi/test_cgi_cookie.rb.
- CVE-2021-41819
Date: 2022-01-06 14:50:09.753087+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.2-4ubuntu1.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Hirsute-changes
mailing list