Univention Bugzilla – Bug 54283
ruby2.3: Multiple issues (4.4)
Last modified: 2022-01-05 17:58:54 CET
New Debian ruby2.3 2.3.3-1+deb9u11 fixes: This update addresses the following issues: * Regular Expression Denial of Service Vulnerability of Date Parsing Methods (CVE-2021-41817) * cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/ruby2.3_2.3.3-1+deb9u10.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/ruby2.3_2.3.3-1+deb9u11.dsc @@ -1,3 +1,10 @@ +2.3.3-1+deb9u11 [Mon, 06 Dec 2021 05:25:44 +0530] Utkarsh Gupta <utkarsh@debian.org>: + + * Add length limit option for methods that parses + date strings. (Fixes: CVE-2021-41817) + * When parsing cookies, only decode the values. + (Fixes: CVE-2021-41819) + 2.3.3-1+deb9u10 [Sun, 19 Sep 2021 09:10:46 +0530] Utkarsh Gupta <utkarsh@debian.org>: * Add patch to use File.open to fix the OS Command <http://piuparts.knut.univention.de/4.4-8/#5476384689430753738>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] c1f17a35ce Bug #54283: ruby2.3 2.3.3-1+deb9u11 doc/errata/staging/ruby2.3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-8] e6613c76d3 Bug #54283: ruby2.3 2.3.3-1+deb9u11 doc/errata/staging/ruby2.3.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1142>