Sync with GitHub Security Advisories

reedloden · reedloden · commit 11a4ed1c43d0 · 2023-04-04T13:25:56.000-07:00
* Add time/CVE-2023-28756 and unpoly-rails/CVE-2023-28846
diff --git a/gems/time/CVE-2023-28756.yml b/gems/time/CVE-2023-28756.yml
@@ -0,0 +1,18 @@
+---
+gem: time
+cve: 2023-28756
+ghsa: fg7x-g82r-94qc
+url: https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
+title: Ruby Time component ReDos issue
+date: 2023-03-31
+description: |
+  A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby
+  through 3.2.1. The Time parser mishandles invalid URLs that have specific characters.
+  It causes an increase in execution time for parsing strings to Time objects. The
+  fixed versions are 0.1.1 and 0.2.2.
+patched_versions:
+- "~> 0.1.1"
+- ">= 0.2.2"
+related:
+  url:
+  - https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
diff --git a/gems/unpoly-rails/CVE-2023-28846.yml b/gems/unpoly-rails/CVE-2023-28846.yml
@@ -0,0 +1,67 @@
+---
+gem: unpoly-rails
+cve: 2023-28846
+ghsa: m875-3xf6-mf78
+url: https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78
+title: unpoly-rails Denial of Service vulnerability
+date: 2023-03-30
+description: |
+  There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails
+  gem that implements the [Unpoly server protocol](https://unpoly.com/up.protocol)
+  for Rails applications.
+
+  ### Impact
+
+  This issues affects Rails applications
+  that operate as an upstream of a load balancer's that uses [passive health
+  checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks).
+
+  The [unpoly-rails](https://github.com/unpoly/unpoly-rails/) gem echoes the request URL
+  as an `X-Up-Location` response header. By making a request with exceedingly long
+  URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly
+  large response header.
+
+  If the response header is too large to be parsed by a load balancer downstream
+  of the Rails application, it may cause the load balancer to remove the upstream
+  from a load balancing group. This causes that application instance to become
+  unavailable until a configured timeout is reached or until an active healthcheck
+  succeeds.
+
+  ### Workarounds
+
+  If you cannot upgrade to a fixed release, several workarounds are available:
+
+  - Configure your load balancer to
+    use active health checks, e.g. by periodically requesting a route with a known response
+    that indicates healthiness.
+  - Configure your load balancer so the [maximum size
+    of response headers](https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning)
+    is at least twice the [maximum size of a URL](https://tryhexadecimal.com/guides/http/414-request-uri-too-long).
+  - Instead of changing your server configuration you may also configure your Rails
+    application to delete redundant `X-Up-Location` headers set by unpoly-rails:
+
+    ```ruby
+    class ApplicationController < ActionController::Base
+
+      after_action :remove_redundant_up_location_header
+
+      private
+
+      def remove_redundant_up_location_header
+        if request.original_url == response.headers['X-Up-Location']
+          response.headers.delete('X-Up-Location')
+        end
+      end
+
+    end
+  ```
+cvss_v3: 5.9
+patched_versions:
+- ">= 2.7.2.2"
+related:
+  url:
+  - https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16
+  - https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks
+  - https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning
+  - https://tryhexadecimal.com/guides/http/414-request-uri-too-long
+  - https://unpoly.com/up.protocol
