Open Source

CVE-2023-36617: ReDoS vulnerability in URI

by

We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability.
This vulnerability has been assigned the CVE identifier CVE-2023-36617.

Details

A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.

NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755.

The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.

Recommended action

We recommend to update the uri gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 3.0: Update to uri 0.10.3
  • For Ruby 3.1 and 3.2: Update to uri 0.12.2

You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.2" (or other version mentioned above) to your Gemfile.

Affected versions

  • uri gem 0.12.1 or before

Credits

Thanks to ooooooo_q for discovering this issue.

Thanks to nobu for fixing this issue.

History

  • Originally published at 2023-06-29 01:00:00 (UTC)

Posted by hsbt on 29 Jun 2023

lilos: a minimal async RTOS

by
This is a wee operating system written to support the async style of programming in Rust on microcontrollers. It fits in about 2 kiB of Flash and uses about 20 bytes of RAM (before your tasks are added). In that space, you get a full async runtime with multiple tasks, support for complex concurrency via join and select, and a lot of convenient but simple APIs. I understood some of those words.

Open Policy Alliance: A new program to amplify underrepresented voices in public policy development

by
Open Policy Alliance: A new program to amplify underrepresented voices in public policy development
Open Policy Alliance: A new program to amplify underrepresented voices in public policy development

This new program – the Open Policy Alliance – seeks to empower these voices and enable them to actively  participate in educating and informing US public policy decisions related to Open Source software, content, research, and education.

The post <span class=’p-name’>Open Policy Alliance: A new program to amplify underrepresented voices in public policy development</span> appeared first on Voices of Open Source.

Sequelize MySQL Node Express REST API | Babel | Devhubspot

by

Video by via Dailymotion Source Create Rest api NodeJS using mysql babel and Sequelize #restapis #restapi #tutorial #nodejs #nodejstutorial #express #array #sequelize #mysql #babel #advancejavascript Join this channel to get access to perks:https://www.youtube.com/channel/UCj86KkLBLWPrABBQZmZEsYA/join Shopping Website:https://my-store-e3dbac.creator-spring.com/https://devhubspot.myspreadshop.com/ Connect with me on social media:Instagram: https://www.instagram.com/DevHubSpot/Facebook: https://facebook.com/devhubspotTwitter: https://twitter.com/devhub1spotYoutube:https://www.youtube.com/channel/UCj86KkLBLWPrABBQZmZEsYAWebsite: https://www.devhubspot.net/ ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬For more updates on technology and programming subscribe to our … Read more

Maioria dos reajustes salariais fica acima da inflação; Alan Ghani

by

Video by via Dailymotion Source Nove em cada dez salários (91,9%) tiveram reajuste acima da inflação medida pelo INPC (Índice Nacional de Preços ao Consumidor) em maio de 2023, de acordo com o boletim Salariômetro, da Fipe (Fundação Instituto de Pesquisas Econômicas). O relatório foi divulgado nesta quarta-feira (28). Assista ao Jornal da Manhã completo; … Read more