Source: ruby3.0 Version: 3.0.2-5 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for ruby3.0, they were fixed upstream in 3.0.3. CVE-2021-41816[0]: | Buffer Overrun in CGI.escape_html CVE-2021-41817[1]: | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS | (regular expression Denial of Service) via a long string. The fixed | versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41819[2]: | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes | in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41816 [1] https://security-tracker.debian.org/tracker/CVE-2021-41817 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817 [2] https://security-tracker.debian.org/tracker/CVE-2021-41819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819 Regards, Salvatore