Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1902 CVE-2023-28756: ReDoS vulnerability in Time 31 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2023-28756 Original Bulletin: https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2023-28756: ReDoS vulnerability in Time Posted by hsbt on 30 Mar 2023 We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756 . Details The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects. A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7. Recommended action We recommend to update the time gem to version 0.2.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: o For Ruby 3.0 users: Update to time 0.1.1 o For Ruby 3.1/3.2 users: Update to time 0.2.2 You can use gem update time to update it. If you are using bundler, please add gem "time", ">= 0.2.2" to your Gemfile . Unfortunately, time gem only works with Ruby 3.0 or later. If you are using Ruby 2.7, please use the latest version of Ruby. Affected versions o Ruby 2.7.7 or lower o time gem 0.1.0 o time gem 0.2.1 Credits Thanks to ooooooo_q for discovering this issue. History o Originally published at 2023-03-30 11:00:00 (UTC) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCZWMMkNZI30y1K9AQgL3Q//chX2zwEjsGQ+NCIFbIU39dT9JhZ3rBDZ F+6iHP6uQadi3SaQedzy+5dcFVzF9mrLT8820hKwcx/o0RF7SwiJBMgPLGU5+zQ8 zPJVbWAzIZACh+CXucl5R/NtMSpjeqkRfXe8CGIx8biIN7CZ6O1aux1hMUSk+eIG OCVZgEli4O5zEZ9FqiSkuV6KX6TlcBQrxLfStM7Fyn2A8VV6jUbb9FRUzFx2ZHbr 2aTGoIi83XguhM4JJmOLfrLcIuMnHqGM5gSOfV4hsohgamjZuyw4/u6h0fh5ROZz 1AW/7idbHj1VisbaSCTFArxno1qaGcq1bd6FCbTH6MjQzhRJQFwrTr/kWyJ+m6B3 wZ2qxVehh/Tlkfpl4dCQtMN71uWiGjP+to7JTRPChUDF6YgEzcMtJ4UVbDJ3iC4T Xk/xy/oalMxdi8m5F+RpMERTIWklM32CkHA36ghfK3uk8UsUztBapOfiVMGK0iIK M8YA1pjdgJbHX/Xr7ekGt78unZ9Vb/e1cDc4hKjn4rPepl+wBeaji07C7tY8nO3s ZubhWQ4iC4soukFGnhJj63KrlvfxnDluCDPa1dc3cTt8hk69EH63CTrS4VIxUYpZ 4zzd9Rc6b6Iys0KfAGBKJC9pA9bEOdomzNfUjXEdkMeUQ/2BfEkhYv6mfQfcskJb smzntE9AGlk= =S6uT -----END PGP SIGNATURE-----