PublicDateAtUSN: 2022-01-01 05:15:00 UTC
Candidate: CVE-2021-41817
PublicDate: 2022-01-01 05:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817
 https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
 https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0 (Fix)
 https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d (v3.2.2 - followups to mimic prev behaviour)
 https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664 (v3.2.2 - followups to mimic prev behaviour)
 https://ubuntu.com/security/notices/USN-5235-1
Description:
 Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular
 expression Denial of Service) via a long string. The fixed versions are
 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_ruby3.0:
upstream_ruby3.0: needs-triage
trusty_ruby3.0: ignored (out of standard support)
xenial_ruby3.0: ignored (out of standard support)
jammy_ruby3.0: released (3.0.2-7ubuntu2)
devel_ruby3.0: released (3.0.2-7ubuntu2)

Patches_ruby2.7:
upstream_ruby2.7: needs-triage
trusty_ruby2.7: ignored (out of standard support)
xenial_ruby2.7: ignored (out of standard support)
focal_ruby2.7: released (2.7.0-5ubuntu1.6)
hirsute_ruby2.7: released (2.7.2-4ubuntu1.3)
impish_ruby2.7: released (2.7.4-1ubuntu3.1)

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
trusty_ruby2.5: ignored (out of standard support)
xenial_ruby2.5: ignored (out of standard support)
bionic_ruby2.5: released (2.5.1-1ubuntu1.11)

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
esm-infra/xenial_ruby2.3: released (2.3.1-2~ubuntu16.04.16+esm2)
trusty_ruby2.3: ignored (out of standard support)
xenial_ruby2.3: ignored (out of standard support)