From 2253e231e2fd0f8291ab33ec44b6d6a83446df2d Mon Sep 17 00:00:00 2001 From: cicd Date: Wed, 21 Aug 2024 08:52:00 +0200 Subject: [PATCH] commit by to_remotes 2024-08-21 08:52:00 +0200 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 ++++++++++- update-info.txt | 12 ++++++++---- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 375c83f..ea7f741 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2024-08-20T14:13:06+02:00 +2024-08-21T08:52:00+02:00 diff --git a/bundle-audit.json b/bundle-audit.json index 72ecb46..8f4076c 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.1","created_at":"2024-08-20 14:13:05 +0200","results":[]} \ No newline at end of file +{"version":"0.9.1","created_at":"2024-08-21 08:51:59 +0200","results":[{"type":"unpatched_gem","gem":{"name":"fugit","version":"1.11.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/fugit/CVE-2024-43380.yml","id":"CVE-2024-43380","url":"https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g","title":"fugit parse and parse_nat stall on lengthy input","date":"2024-08-19","description":"### Impact\n\nThe fugit \"natural\" parser, that turns \"every wednesday at 5pm\" into\n\"0 17 * * 3\", accepted any length of input and went on attempting to\nparse it, not returning promptly, as expected. The parse call could\nhold the thread with no end in sight.\n\nFugit dependents that do not check (user) input length for\nplausability are impacted.\n\n### Patches\n\nProblem was reported in #104 and the fix was released in\n[fugit 1.11.1](https://rubygems.org/gems/fugit/versions/1.11.1)\n\n### Workarounds\n\nBy making sure that `Fugit.parse(s)`, `Fugit.do_parse(s)`,\n`Fugit.parse_nat(s)`, `Fugit.do_parse_nat(s)`, `Fugit::Nat.parse(s)`,\nand `Fugit::Nat.do_parse(s)` are not fed strings too long.\n1000 chars feels ok, while 10_000 chars makes it stall.\n\nIn fewer words, making sure those fugit methods are not fed\nunvetted input strings.\n","cvss_v2":null,"cvss_v3":5.3,"cve":"2024-43380","osvdb":null,"ghsa":"2m96-52r3-2f3g","unaffected_versions":[],"patched_versions":[">= 1.11.1"],"criticality":"medium"}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..90546be 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,10 @@ -No vulnerabilities found +Name: fugit +Version: 1.11.0 +CVE: CVE-2024-43380 +GHSA: GHSA-2m96-52r3-2f3g +Criticality: Medium +URL: https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g +Title: fugit parse and parse_nat stall on lengthy input +Solution: upgrade to '>= 1.11.1' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index 5c8fef7..fae1100 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,11 @@ Updating ruby-advisory-db ... -Already up to date. +Updating b5e80a6..e38cfdd +Fast-forward + gems/fugit/CVE-2024-43380.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + create mode 100644 gems/fugit/CVE-2024-43380.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 915 advisories - last updated: 2024-08-18 23:32:52 -0700 - commit: b5e80a635bcc4d85d6e9f5b741510fb63a05150f + advisories: 916 advisories + last updated: 2024-08-20 16:44:10 -0700 + commit: e38cfdd4a646821224272f3a4d404171d34dc9ce