Bug 6815 - [Anolis OS 23] Bugfix for CVE-2023-36617
Summary: [Anolis OS 23] Bugfix for CVE-2023-36617
Status: RESOLVED FIXED
Alias: None
Product: Anolis OS 23
Classification: Anolis OS
Component: BaseOS Packages (show other bugs) BaseOS Packages
Version: unspecified
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: happy_orange
QA Contact: bolong_tbl
URL:
Whiteboard:
Keywords: CVE
Depends on:
Blocks:
 
Reported: 2023-10-16 14:06 UTC by 小龙
Modified: 2023-10-16 14:06 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 小龙 admin 2023-10-16 14:06:09 UTC 
Description:
在Ruby0.12.2之前的URI组件中发现了ReDoS问题。URI解析器错误地处理具有特定字符的无效URL。使用rfc2396_parser.rb和rfc3986_parser.rb将字符串解析为URI对象的执行时间会增加。注意:此问题的存在是因为CVE-2023-28755的修复不完整。0.10.3版本也是一个固定版本。

Broken commit info:

Bugfix commit info:
https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0