Ruby 3.0.3 Released
Ruby 3.0.3 has been released.
Posted by nagachika on 24 Nov 2021
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.
Posted by mame on 24 Nov 2021
CVE-2021-41816: Buffer Overrun in CGI.escape_html
A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.
Posted by mame on 24 Nov 2021
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817.
Posted by mame on 15 Nov 2021