Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. References: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 2026671] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 2026673] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026669] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026670] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026672]
Upstream fix in date v3.2.1 : https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0 Additional fixes to mimic previous behavior : https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41817
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856