Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 616
Alerts This Week
Warning Icon 1 616

Ubuntu 20.04 LTS USN-6055-2 Critical: Ruby Denial Of Service

ubuntu
Calendar Grey May 5, 2023
Dist Ubuntu Esm H88
The Ubuntu Security Team has released a vital advisory on a critical regression in Ruby due to USN-6055-1, impacting multiple releases. Review the mitigation steps now
USN-6055-1 introduced a regression.

Summary

USN-6055-1 introduced a regression.

Software Description:

- ruby2.7: Object-oriented scripting language

- ruby2.5: Object-oriented scripting language

- ruby2.3: Object-oriented scripting language

Details:

USN-6055-1 fixed a vulnerability in Ruby. Unfortunately it introduced a regression.

This update reverts the patches applied to CVE-2023-28755 in order to fix the regression

pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Ruby incorrectly handled certain regular expressions.

An attacker could possibly use this issue to cause a denial of service.

(CVE-2023-28755)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libruby2.7                      2.7.0-5ubuntu1.10
  ruby2.7                         2.7.0-5ubuntu1.10

Ubuntu 18.04 LTS:
  libruby2.5                      2.5.1-1ubuntu1.15
  ruby2.5                         2.5.1-1ubuntu1.15

Ubuntu 16.04 ESM:
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm6
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm6

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6055-2

https://ubuntu.com/security/notices/USN-6055-1

CVE-2023-28755, https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/2018547

Severity
critical
Lowest
Low
Medium
High
Critical

May 05, 2023

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.