Package: ruby3.3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ruby3.3. CVE-2025-24294[0]: | The attack vector is a potential Denial of Service (DoS). The | vulnerability is caused by an insufficient check on the length of a | decompressed domain name within a DNS packet. An attacker can | craft a malicious DNS packet containing a highly compressed domain | name. When the resolv library parses such a packet, the name | decompression process consumes a large amount of CPU resources, as | the library does not limit the resulting length of the name. This | resource consumption can cause the application thread to become | unresponsive, resulting in a Denial of Service condition. https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/ https://github.com/ruby/resolv/commit/24ed513f028d8e5c76310fcdecf07f79eb721a32 (v0.3.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-24294 https://www.cve.org/CVERecord?id=CVE-2025-24294 Please adjust the affected versions in the BTS as needed.
