[SECURITY] [DLA 3480-1] ruby-redcloth security update

2023-07-0622:09:03

lists.debian.org

cve-2023-31606

redos vulnerability

ruby-redcloth

denial of service

debian 10 buster

security update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.7%

JSON

Debian LTS Advisory DLA-3480-1 [email protected]
https://www.debian.org/lts/security/ Bastien RoucariÃ¨s
July 06, 2023 https://wiki.debian.org/LTS

Package : ruby-redcloth
Version : 4.3.2-3+deb10u1
CVE ID : CVE-2023-31606
Debian Bug : 1040488

A Regular Expression Denial of Service (ReDoS) issue
was discovered in the sanitize_html function of redcloth gem.
This vulnerability allows attackers to cause a Denial of Service (DoS)
via supplying a crafted payload.

For Debian 10 buster, this problem has been fixed in version
4.3.2-3+deb10u1.

We recommend that you upgrade your ruby-redcloth packages.

For the detailed security status of ruby-redcloth please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-redcloth

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10arm64ruby-redcloth< 4.3.2-3+deb10u1ruby-redcloth_4.3.2-3+deb10u1_arm64.deb
Debian10amd64ruby-redcloth-dbgsym< 4.3.2-3+deb10u1ruby-redcloth-dbgsym_4.3.2-3+deb10u1_amd64.deb
Debian10i386ruby-redcloth-dbgsym< 4.3.2-3+deb10u1ruby-redcloth-dbgsym_4.3.2-3+deb10u1_i386.deb
Debian10allruby-redcloth< 4.3.2-3+deb10u1ruby-redcloth_4.3.2-3+deb10u1_all.deb
Debian10arm64ruby-redcloth-dbgsym< 4.3.2-3+deb10u1ruby-redcloth-dbgsym_4.3.2-3+deb10u1_arm64.deb
Debian10armhfruby-redcloth-dbgsym< 4.3.2-3+deb10u1ruby-redcloth-dbgsym_4.3.2-3+deb10u1_armhf.deb
Debian10amd64ruby-redcloth< 4.3.2-3+deb10u1ruby-redcloth_4.3.2-3+deb10u1_amd64.deb
Debian10i386ruby-redcloth< 4.3.2-3+deb10u1ruby-redcloth_4.3.2-3+deb10u1_i386.deb
Debian10armhfruby-redcloth< 4.3.2-3+deb10u1ruby-redcloth_4.3.2-3+deb10u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	arm64	ruby-redcloth	< 4.3.2-3+deb10u1	ruby-redcloth_4.3.2-3+deb10u1_arm64.deb
Debian	10	amd64	ruby-redcloth-dbgsym	< 4.3.2-3+deb10u1	ruby-redcloth-dbgsym_4.3.2-3+deb10u1_amd64.deb
Debian	10	i386	ruby-redcloth-dbgsym	< 4.3.2-3+deb10u1	ruby-redcloth-dbgsym_4.3.2-3+deb10u1_i386.deb
Debian	10	all	ruby-redcloth	< 4.3.2-3+deb10u1	ruby-redcloth_4.3.2-3+deb10u1_all.deb
Debian	10	arm64	ruby-redcloth-dbgsym	< 4.3.2-3+deb10u1	ruby-redcloth-dbgsym_4.3.2-3+deb10u1_arm64.deb
Debian	10	armhf	ruby-redcloth-dbgsym	< 4.3.2-3+deb10u1	ruby-redcloth-dbgsym_4.3.2-3+deb10u1_armhf.deb
Debian	10	amd64	ruby-redcloth	< 4.3.2-3+deb10u1	ruby-redcloth_4.3.2-3+deb10u1_amd64.deb
Debian	10	i386	ruby-redcloth	< 4.3.2-3+deb10u1	ruby-redcloth_4.3.2-3+deb10u1_i386.deb
Debian	10	armhf	ruby-redcloth	< 4.3.2-3+deb10u1	ruby-redcloth_4.3.2-3+deb10u1_armhf.deb