Bug 2025104 (CVE-2021-41817)
Summary: | CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | caswilli, hhorak, jaruga, joe, jorton, jprokop, jwong, kaycoth, kyoshida, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vmugicag, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ruby-date 3.2.1, ruby-date 3.1.2, ruby-date 3.0.2, ruby-date 2.0.1, ruby 3.0.3, ruby 2.7.5, ruby 2.6.9 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service (ReDoS) during the parsing of dates. This flaw allows an attacker to hang a ruby application by providing a specially crafted date string. The highest threat to this vulnerability is system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-03 01:49:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2025503, 2026669, 2026670, 2026671, 2026672, 2026673, 2027703, 2027704, 2027705, 2027706, 2027707, 2027708, 2027709, 2027710, 2037995, 2053046, 2053047, 2053048, 2053049, 2057448, 2100522, 2109427, 2123021, 2128627, 2128635 | ||
Bug Blocks: | 2025105 |
Description
Pedro Sampaio
2021-11-19 21:05:10 UTC
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 2026671] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 2026673] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026669] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026670] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026672] Upstream fix in date v3.2.1 : https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0 Additional fixes to mimic previous behavior : https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41817 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856 |