Add CVE-2025-24294: DoS in resolv gem#914
Conversation
|
@jasnow for your review |
postmodern
left a comment
postmodern
left a comment
There was a problem hiding this comment.
This doesn't appear to be in the format of ruby-advisory-db's YAML schema. Please see the examples and YAML schema documentation.
rubies/ruby/CVE‑2025‑24294.yml
Outdated
There was a problem hiding this comment.
ruby-advisory-db omits the CVE- from the cve: field.
postmodern
left a comment
postmodern
left a comment
There was a problem hiding this comment.
Also will need to list the specific new ruby versions that were released, instead of the resolv gem versions.
|
Thanks @postmodern. All addressed now, apologies for using the wrong schema. |
postmodern
left a comment
postmodern
left a comment
There was a problem hiding this comment.
Linter failed because of the indentation on lines 20-24. Should be four spaces, not two.
Just saw that and pushed a fix. |
3 participants
Description:
Adds an advisory for a denial-of-service vulnerability in the
resolvlibrary bundled with Ruby.Details:
A vulnerability exists in
resolvwhere an attacker can craft a malicious DNS packet with a highly compressed domain name.During parsing, the name-decompression can consume excessive CPU resources, leading to a thread or application becoming unresponsive (DoS).
Announcement
Affected versions:
resolv≤ 0.2.2resolv= 0.3.0resolv≤ 0.6.1References: