CVE-2023-36617

Name	CVE-2023-36617
Description	A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3858-1, ELA-1149-1, ELA-1150-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jruby (PTS)	jessie, jessie (lts)	1.5.6-9+deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	1.7.26-1+deb9u3	vulnerable
	buster (security), buster, buster (lts)	9.1.17.0-3+deb10u1	fixed
	bookworm	9.3.9.0+ds-8	fixed
	sid, trixie	9.4.8.0+ds-1	fixed
ruby2.1 (PTS)	jessie, jessie (lts)	2.1.5-2+deb8u14	fixed
ruby2.3 (PTS)	stretch (security)	2.3.3-1+deb9u11	vulnerable
	stretch (lts), stretch	2.3.3-1+deb9u12	fixed
ruby2.5 (PTS)	buster, buster (lts)	2.5.5-3+deb10u7	fixed
	buster (security)	2.5.5-3+deb10u6	vulnerable
ruby2.7 (PTS)	bullseye	2.7.4-1+deb11u1	vulnerable
	bullseye (security)	2.7.4-1+deb11u2	fixed
ruby3.1 (PTS)	bookworm (security), bookworm	3.1.2-7+deb12u1	fixed
	sid, trixie	3.1.2-8.4	fixed
rubygems (PTS)	bullseye	3.2.5-2	fixed
	bookworm	3.3.15-2	fixed
	sid, trixie	3.4.20-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
jruby	source	jessie	(unfixed)	end-of-life
jruby	source	stretch	(unfixed)	end-of-life
jruby	source	(unstable)	(not affected)
ruby2.1	source	(unstable)	(not affected)
ruby2.3	source	stretch	2.3.3-1+deb9u12		ELA-1149-1
ruby2.3	source	(unstable)	(not affected)
ruby2.5	source	buster	2.5.5-3+deb10u7		ELA-1150-1
ruby2.5	source	(unstable)	(unfixed)
ruby2.7	source	bullseye	2.7.4-1+deb11u2		DLA-3858-1
ruby2.7	source	(unstable)	(not affected)
ruby3.1	source	(unstable)	(not affected)
rubygems	source	(unstable)	(not affected)

Notes

- rubygems <not-affected> (Incomplete fix never applied)
- ruby3.1 <not-affected> (Incomplete fix never applied)
- ruby2.7 <not-affected> (Incomplete fix never applied)
[buster] - ruby2.5 <postponed> (Minor issue, ReDoS)
- jruby <not-affected> (Incomplete fix not applied, covered by CVE-2023-28755)
[buster] - jruby <postponed> (Minor issue, ReDoS)
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1
https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8
- ruby2.1 <not-affected> (Incomplete fix never applied)
- ruby2.3 <not-affected> (Incomplete fix never applied)