From f109aea3541932539f3c3a614c4630abc45a1e34 Mon Sep 17 00:00:00 2001 From: Andrew Konchin Date: Fri, 31 May 2024 12:37:11 +0300 Subject: [PATCH] Fix the Known CVEs document and remove wrong link to a test for CVE-2024-2728 --- doc/user/known-cves.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/known-cves.md b/doc/user/known-cves.md index 61f1bd71cf54..d08eda821bd8 100644 --- a/doc/user/known-cves.md +++ b/doc/user/known-cves.md @@ -21,7 +21,7 @@ Number | Description | Their Mitigation | Test | Our Mitigation --- | --- | --- | --- | --- CVE-2024-35176 | DoS in REXML | [Fix](https://github.com/ruby/rexml/pull/126/commits/ba70cfefadf7e79885fe08228d1df4c0549ad0f8) | [Test](https://github.com/ruby/rexml/pull/126/commits/ba70cfefadf7e79885fe08228d1df4c0549ad0f8) | [same mitigation as CRuby](https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/), users must update rexml to 3.2.7+ if they use it CVE-2024-27282 | Arbitrary memory address read vulnerability with Regex search | [Fix](https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a) | | Not applicable thanks to Java semantics -CVE-2024-27281 | RCE vulnerability with .rdoc_options in RDoc | [Fix](https://github.com/ruby/rdoc/compare/v6.3.3...v6.3.4.1) | [Test](https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904) | Not applicable because TruffleRuby does not generate rdoc on gem install +CVE-2024-27281 | RCE vulnerability with .rdoc_options in RDoc | [Fix](https://github.com/ruby/rdoc/compare/v6.3.3...v6.3.4.1) | | Not applicable because TruffleRuby does not generate rdoc on gem install CVE-2024-27280 | Buffer overread vulnerability in StringIO | [Fix](https://github.com/ruby/stringio/compare/v3.0.1...v3.0.1.1) | [Test](https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8) | Not applicable, we use the Ruby implementation of StringIO CVE-2023-36617 | ReDoS vulnerability in URI | [Fix](https://github.com/ruby/uri/compare/v0.12.1...v0.12.2) | [Test](https://github.com/ruby/uri/compare/v0.12.1...v0.12.2) | Not applicable thanks to TRegex CVE-2023-28756 | ReDoS vulnerability in Time | [Fix](https://github.com/ruby/time/compare/v0.2.1...v0.2.2) | [Test](https://github.com/ruby/time/commit/c9b92a6e21f432528bddf65fbd132db3487d07bf) | Not applicable thanks to TRegex