FWIW, in Ubuntu, we had a similar issue trying to fix this CVE in ruby2.7, and in the end we reverted the fix:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.10 Lucas Kanashiro. Em qua., 7 de jun. de 2023 07:47, Utkarsh Gupta <guptautkarsh2...@gmail.com> escreveu: > Hiya, > > On Wed, Jun 7, 2023 at 2:39 PM Moritz Muehlenhoff <j...@inutil.org> wrote: > > Specifically > https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ > > states: > > > > | For Ruby 2.7: Update to uri 0.10.0.1 > > | For Ruby 3.0: Update to uri 0.10.2 > > | For Ruby 3.1: Update to uri 0.11.1 > > | For Ruby 3.2: Update to uri 0.12.1 > > > > And the 0.10 change ( > https://github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70 > ) > > is different from the 0.12 one ( > https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 > ) > > > > There might be other changes needed for 2.5, not sure. > > Yep, I'm taking a look to prep something for 2.5. > > > - u > >
