Opened 7 months ago

Closed 7 months ago

#21851 closed enhancement (fixed)

ruby-3.4.5

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Douglas R. Reno, 7 months ago

Priority: normalelevated

In addition to bug fixes, this release includes a fix for CVE-2025-24294 in the bundled 'resolv' gem. Details on that vulnerability: 

CVE-2025-24294: Possible Denial of Service in resolv gem

A denial of service vulnerability has been discovered in the resolv gem bundled with 
Ruby. This vulnerability has been assigned the CVE identifier CVE-2025-24294. We 
recommend upgrading the resolv gem.

Details

The vulnerability is caused by an insufficient check on the length of a decompressed 
domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. 
When the resolv library parses such a packet, the name decompression process consumes a 
large amount of CPU resources, as the library does not limit the resulting length of the 
name.

This resource consumption can cause the application thread to become unresponsive, 
resulting in a Denial of Service condition.

comment:2 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 7 months ago

Release notes can be found here: https://github.com/ruby/ruby/releases/tag/v3_4_5

comment:4 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at f78a7a42da3ba4cba2b5da436b5e5798d5eb7b3b

SA-12.3-077 issued

Note: See TracTickets for help on using tickets.