[ubuntu/kinetic-updates] ruby3.1 3.1.2-2ubuntu0.22.10.1 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Wed Jun 21 09:58:13 UTC 2023
ruby3.1 (3.1.2-2ubuntu0.22.10.1) kinetic-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2021-33621*.patch: adds regex to lib/cgi/core.rb and
lib/cgi/cookie.rb along with tests to check http response headers and
cookie fields for invalid characters.
- CVE-2021-33621
* SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-28755-*.patch: URI.parse should set empty
string in host instead of nil in lib/uri/rfc3986_parser.rb, raise
ArgumentError with empty host url again in
lib/net/http/generic_request.rb.
- debian/patches/fix-uri-tests.patch: Added assert_linear_performance
for URI tests
- CVE-2023-28755
* SECURITY UPDATE: ReDos
- debian/patches/CVE-2023-28756-*.patch: fix quadratic backtracking on
invalid time and make RFC2822 regexp linear in lib/time.rb.
- CVE-2023-28756
* debian/patches/fix-tzdata-tests.patch: Fix for tzdata-2022g
* debian/patches/fix-wss-tests.patch: Fix uninitialized constant URI::WSS
* debian/patches/fix-generic-tests.patch: Raise ArgumentError with empty
host url again
Date: 2023-06-16 10:30:07.290074+00:00
Changed-By: Nishit Majithia <nishit.majithia at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/ruby3.1/3.1.2-2ubuntu0.22.10.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the kinetic-changes
mailing list