UBUNTU-CVE-2023-28756
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2023-28756
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28756.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-28756
- Related
- Published
- 2023-03-31T04:15:00Z
- Modified
- 2023-03-31T04:15:00Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
- References
-
- https://ubuntu.com/security/CVE-2023-28756
- https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://github.com/ruby/time/releases/
- https://www.ruby-lang.org/en/downloads/releases/
- https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
- https://github.com/ruby/time/commit/3dce6f73d14f5fad6d9b302393fd02df48797b11
- https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943
- https://ubuntu.com/security/notices/USN-6055-1
- https://ubuntu.com/security/notices/USN-6055-2
- https://ubuntu.com/security/notices/USN-6087-1
- https://ubuntu.com/security/notices/USN-6181-1
- https://www.cve.org/CVERecord?id=CVE-2023-28756
Affected packages
Ubuntu:Pro:14.04:LTS / jruby
Package
- Name
- jruby
Ubuntu:Pro:16.04:LTS / ruby2.3
Package
- Name
- ruby2.3
- Purl
- pkg:deb/ubuntu/ruby2.3@2.3.1-2~ubuntu16.04.16+esm7?arch=src?distro=esm-infra/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.1-2~ubuntu16.04.16+esm7
Affected versions
2.*
2.3.0-1
2.3.0-2
2.3.0-4ubuntu2
2.3.0-4ubuntu3
2.3.0-5ubuntu1
2.3.1-2~16.04
2.3.1-2~16.04.2
2.3.1-2~16.04.4
2.3.1-2~16.04.5
2.3.1-2~16.04.6
2.3.1-2~16.04.7
2.3.1-2~16.04.9
2.3.1-2~16.04.10
2.3.1-2~16.04.11
2.3.1-2~16.04.12
2.3.1-2~ubuntu16.04.13
2.3.1-2~ubuntu16.04.14
2.3.1-2~ubuntu16.04.15
2.3.1-2~ubuntu16.04.16
2.3.1-2~ubuntu16.04.16+esm1
2.3.1-2~ubuntu16.04.16+esm2
2.3.1-2~ubuntu16.04.16+esm3
2.3.1-2~ubuntu16.04.16+esm4
2.3.1-2~ubuntu16.04.16+esm5
2.3.1-2~ubuntu16.04.16+esm6
Ecosystem specific
{
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"ubuntu_priority": "medium",
"binaries": [
{
"libruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-tcltk": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-dev-dbgsym": "2.3.1-2~ubuntu16.04.16+esm7",
"libruby2.3-dbg": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-dev": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.16+esm7",
"libruby2.3": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-tcltk-dbgsym": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3": "2.3.1-2~ubuntu16.04.16+esm7",
"ruby2.3-doc": "2.3.1-2~ubuntu16.04.16+esm7"
}
]
}
Ubuntu:Pro:16.04:LTS / jruby
Package
- Name
- jruby
Ubuntu:18.04:LTS / ruby2.5
Package
- Name
- ruby2.5
- Purl
- pkg:deb/ubuntu/ruby2.5@2.5.1-1ubuntu1.16?arch=src?distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.5.1-1ubuntu1.16
Affected versions
2.*
2.5.0~preview1-1ubuntu2
2.5.0-4ubuntu1
2.5.0-4ubuntu4
2.5.0-5ubuntu1
2.5.0-6ubuntu1
2.5.1-1ubuntu1
2.5.1-1ubuntu1.1
2.5.1-1ubuntu1.2
2.5.1-1ubuntu1.4
2.5.1-1ubuntu1.5
2.5.1-1ubuntu1.6
2.5.1-1ubuntu1.7
2.5.1-1ubuntu1.8
2.5.1-1ubuntu1.9
2.5.1-1ubuntu1.10
2.5.1-1ubuntu1.11
2.5.1-1ubuntu1.12
2.5.1-1ubuntu1.13
2.5.1-1ubuntu1.14
2.5.1-1ubuntu1.15
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"ruby2.5": "2.5.1-1ubuntu1.16",
"ruby2.5-dbgsym": "2.5.1-1ubuntu1.16",
"libruby2.5": "2.5.1-1ubuntu1.16",
"libruby2.5-dbgsym": "2.5.1-1ubuntu1.16",
"ruby2.5-dev": "2.5.1-1ubuntu1.16",
"ruby2.5-doc": "2.5.1-1ubuntu1.16"
}
]
}
Ubuntu:Pro:18.04:LTS / jruby
Package
- Name
- jruby
Ubuntu:20.04:LTS / jruby
Package
- Name
- jruby
Ubuntu:20.04:LTS / ruby2.7
Package
- Name
- ruby2.7
- Purl
- pkg:deb/ubuntu/ruby2.7@2.7.0-5ubuntu1.11?arch=src?distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.0-5ubuntu1.11
Affected versions
2.*
2.7.0-1
2.7.0-2
2.7.0-3
2.7.0-4
2.7.0-4ubuntu1
2.7.0-5ubuntu1
2.7.0-5ubuntu1.1
2.7.0-5ubuntu1.2
2.7.0-5ubuntu1.3
2.7.0-5ubuntu1.4
2.7.0-5ubuntu1.5
2.7.0-5ubuntu1.6
2.7.0-5ubuntu1.7
2.7.0-5ubuntu1.8
2.7.0-5ubuntu1.9
2.7.0-5ubuntu1.10
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"ruby2.7-doc": "2.7.0-5ubuntu1.11",
"ruby2.7-dbgsym": "2.7.0-5ubuntu1.11",
"ruby2.7": "2.7.0-5ubuntu1.11",
"libruby2.7": "2.7.0-5ubuntu1.11",
"libruby2.7-dbgsym": "2.7.0-5ubuntu1.11",
"ruby2.7-dev": "2.7.0-5ubuntu1.11"
}
]
}
Ubuntu:22.04:LTS / ruby3.0
Package
- Name
- ruby3.0
- Purl
- pkg:deb/ubuntu/ruby3.0@3.0.2-7ubuntu2.4?arch=src?distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.2-7ubuntu2.4
Affected versions
3.*
3.0.2-5ubuntu1
3.0.2-7
3.0.2-7ubuntu2
3.0.2-7ubuntu2.1
3.0.2-7ubuntu2.2
3.0.2-7ubuntu2.3
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"ruby3.0-dev": "3.0.2-7ubuntu2.4",
"ruby3.0": "3.0.2-7ubuntu2.4",
"ruby3.0-doc": "3.0.2-7ubuntu2.4",
"libruby3.0": "3.0.2-7ubuntu2.4",
"libruby3.0-dbgsym": "3.0.2-7ubuntu2.4",
"ruby3.0-dbgsym": "3.0.2-7ubuntu2.4"
}
]
}