[SECURITY] [DLA 3447-1] ruby2.5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3447-1] ruby2.5 security update
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 07 Jun 2023 13:38:22 -0700
Message-id: <[🔎] 168608308162.446132.7590389214890207471@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3447-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
June 06, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby2.5
Version        : 2.5.5-3+deb10u5
CVE IDs        : CVE-2023-28755 CVE-2023-28756

Two regular expression Denial of Service (ReDoS) issues were
discovered in Ruby: the first in the URI component, and the second
in the Time module. Each of these issues could have resulted in a
dramatic increase in execution time given malicious input.

For Debian 10 buster, these problems have been fixed in version
2.5.5-3+deb10u5.

We recommend that you upgrade your ruby2.5 packages.

For the detailed security status of ruby2.5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmR/lgcACgkQHpU+J9Qx
HlhiORAAiPXyZOadnygthfvNJ2sZsVuSNl4x6NAQFdZPwZ3+A/yu7EkmIEJd2isP
ez+fpdINWFw/MNjXes/wLpUV+E5QmOLk2AUyFXeFaZ+fCdFa79eprq2gX82kkrJ2
dFjA/4coJqLKSDybTkaQD1c56YZwd2yn9uCcFhfO/SmfdDydA/cDbGUDcPFGGbks
50SOp7c1pMeXrI+9uRPDk+5qfBlWuu5WruJaR++XPACyP5NboxbfLN7hSGc+c5s9
bXyZpGNLX9KJNNNeDbDs5rcVXhqmNisvDHLkaCKpyjKv8wf33RZFJ9hdUT2Ms3GQ
OktUlGKDqZPaCIJsrBQltGS55QRYeeljAeqr0aa3Pcz/B4HJ4sG6qWz7KdD12wDs
KZmjDoVUREPdbxvDe3LgbxZVtvg7uxT9O9e7wH1Z0pHADWIUw46x7QitI8dQOcZY
3ATGTIIqpoxSEFNtvCSH4w70SE/IZQbMgX0QRCSiK8TtSDOZ2TYqJoBRMBZ9AhOI
Y4GE9X2qb1HytQ8GwMB8XiUeKQIjtMII4DZCUAgBpBhFGt6qRxDJdltyO9yf4yx5
XtMH1voraomOO0AcMviiP717ERFpztzSZ7o+IIGTrKo0kuTq+JtFRrFfr83pwNuj
30u+FXqTiLEuTa0XzhS1ZR7tek20gilSusV4GO4veMGNEda7yUk=
=+elP
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3446-1] linux-5.10 security update
Next by Date: [SECURITY] [DLA 3448-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 3446-1] linux-5.10 security update
Next by thread: [SECURITY] [DLA 3448-1] firefox-esr security update
Index(es):
- Date
- Thread