| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| skip-random-failure.patch | Skip random failure. | Utkarsh Gupta <utkarsh@debian.org> | not-needed | 2020-04-09 | ||
| 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch | Make tests pass on hosts that have no ipv4 connectivity This is a backport of the patch sent upstream. |
Antonio Terceiro <terceiro@debian.org> | yes | 2021-02-27 | ||
| CVE-2022-30122.patch | [PATCH 1/3] Restrict broken mime parsing This commit restricts broken mime parsing to deal with a ReDOS vulnerability. [CVE-2022-30122] |
Aaron Patterson <tenderlove@ruby-lang.org> | no | 2022-05-26 | ||
| CVE-2022-30123.patch | [PATCH 2/3] Escape untrusted text when logging This fixes a shell escape issue [CVE-2022-30123] |
Aaron Patterson <tenderlove@ruby-lang.org> | no | 2022-05-26 | ||
| CVE-2022-44570.patch | [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks @ooooooo_q for the patch! [CVE-2022-44570] |
Aaron Patterson <tenderlove@ruby-lang.org> | no | 2023-01-17 | ||
| CVE-2022-44571.patch | [PATCH] Fix ReDoS vulnerability in multipart parser This commit fixes a ReDoS vulnerability when parsing the Content-Disposition field in multipart attachments Thanks to @ooooooo_q for the patch! [CVE-2022-44571] |
Aaron Patterson <tenderlove@ruby-lang.org> | no | 2023-01-17 | ||
| CVE-2022-44572.patch | [PATCH] Forbid control characters in attributes This commit restricts the characters accepted in ATTRIBUTE_CHAR, forbidding control characters and fixing a ReDOS vulnerability. This also now should fully follow the RFCs. RFC 2231, Section 7 specifies: attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs, "*", "'", "%", or tspecials> RFC 2045, Appendix A specifies: tspecials := "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / <"> "/" / "[" / "]" / "?" / "=" RFC 822, Section 3.3 specifies: CTL = <any ASCII control ; ( 0- 37, 0.- 31.) character and DEL> ; ( 177, 127.) SPACE = <ASCII SP, space> ; ( 40, 32.) [CVE-2022-44572] |
John Hawthorn <john@hawthorn.email> | no | 2022-08-03 | ||
| CVE-2023-27530.patch | [PATCH] Limit all multipart parts, not just files Previously we would limit the number of multipart parts which were files, but not other parts. In some cases this could cause parsing of maliciously crafted inputs to take longer than expected. [CVE-2023-27530] |
John Hawthorn <john@hawthorn.email> | no | 2022-12-08 | ||
| CVE-2023-27539.patch | [PATCH] Avoid ReDoS problem Split headers on commas, then strip the strings in order to avoid ReDoS issues. [CVE-2023-27539] |
Aaron Patterson <tenderlove@ruby-lang.org> | no | 2023-03-13 |