From 3421fe0b6d81e5c9f1ff8fb605d40773ff9a7824 Mon Sep 17 00:00:00 2001 From: Shia Date: Tue, 8 Jul 2025 20:59:59 +0900 Subject: [PATCH 1/3] cp {en,ko}/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md --- .../2025-07-08-dos-resolv-cve-2025-24294.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md diff --git a/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md new file mode 100644 index 0000000000..6e1dbca335 --- /dev/null +++ b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md @@ -0,0 +1,41 @@ +--- +layout: news_post +title: "CVE-2025-24294: Possible Denial of Service in resolv gem" +author: "mame" +translator: +date: 2025-07-08 07:00:00 +0000 +tags: security +lang: en +--- + +A denial of service vulnerability has been discovered in the `resolv` gem bundled with Ruby. +This vulnerability has been assigned the CVE identifier [CVE-2025-24294]. +We recommend upgrading the resolv gem. + +## Details + +The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. + +An attacker can craft a malicious DNS packet containing a highly compressed domain name. +When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. + +This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. + +## Affected versions + +The vulnerability affects the resolv gem bundled with the following Ruby series: + +* Ruby 3.2 series: resolv version 0.2.2 and earlier +* Ruby 3.3 series: resolv version 0.3.0 +* Ruby 3.4 series: resolv version 0.6.1 and earlier + +## Credits + +Thanks to [Manu] for discovering this issue. + +## History + +* Originally published at 2025-07-08 07:00:00 (UTC) + +[CVE-2025-24294]: https://www.cve.org/CVERecord?id=CVE-2025-24294 +[Manu]: https://hackerone.com/manun From b711cce09b183a1bd2f9373fc190db25037d443e Mon Sep 17 00:00:00 2001 From: Shia Date: Tue, 8 Jul 2025 21:13:47 +0900 Subject: [PATCH 2/3] Translate "CVE-2025-24294: Possible Denial of Service in resolv gem" (ko) --- .../2025-07-08-dos-resolv-cve-2025-24294.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md index 6e1dbca335..b571865ddb 100644 --- a/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md +++ b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md @@ -1,41 +1,41 @@ --- layout: news_post -title: "CVE-2025-24294: Possible Denial of Service in resolv gem" +title: "CVE-2025-24294: resolv gem의 DoS 가능성" author: "mame" -translator: +translator: "shia" date: 2025-07-08 07:00:00 +0000 tags: security -lang: en +lang: ko --- -A denial of service vulnerability has been discovered in the `resolv` gem bundled with Ruby. -This vulnerability has been assigned the CVE identifier [CVE-2025-24294]. -We recommend upgrading the resolv gem. +Ruby에 포함된 `resolv` gem에서 서비스 거부(DoS) 취약점이 발견되었습니다. +이 취약점은 CVE 번호 [CVE-2025-24294]로 등록되었습니다. +resolv gem을 업그레이드하기를 추천합니다. -## Details +## 세부 내용 -The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. +이 취약점은 DNS 패킷 내에서 압축 해제된 도메인 이름의 길이에 대한 불충분한 검사로 인해 발생합니다. -An attacker can craft a malicious DNS packet containing a highly compressed domain name. -When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. +공격자는 고도로 압축된 도메인 이름을 포함하는 악의적인 DNS 패킷을 제작할 수 있습니다. +resolv 라이브러리가 이러한 패킷을 파싱할 때, 라이브러리가 압축 해제된 이름의 길이를 제한하지 않기 때문에 이름 압축 해제 과정에서 대량의 CPU 리소스를 소모합니다. -This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. +이러한 리소스 소모로 인해 애플리케이션 스레드가 응답하지 않게 되어 서비스 거부 상태가 발생할 수 있습니다. -## Affected versions +## 해당 버전 -The vulnerability affects the resolv gem bundled with the following Ruby series: +해당 취약점은 다음 Ruby 시리즈에 포함된 resolv gem에 영향을 미칩니다: -* Ruby 3.2 series: resolv version 0.2.2 and earlier -* Ruby 3.3 series: resolv version 0.3.0 -* Ruby 3.4 series: resolv version 0.6.1 and earlier +* Ruby 3.0: `resolv` 0.2.2 이하 +* Ruby 3.1: `resolv` 0.3.0 +* Ruby 3.2: `resolv` 0.6.1 이하 -## Credits +## 도움을 준 사람 -Thanks to [Manu] for discovering this issue. +이 문제를 발견해 준 [Manu]에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2025-07-08 07:00:00 (UTC) +* 2025-07-08 07:00:00 (UTC) 최초 공개 [CVE-2025-24294]: https://www.cve.org/CVERecord?id=CVE-2025-24294 [Manu]: https://hackerone.com/manun From 9af9cb17648cd503a34e8d5a25f30ddaff1ac434 Mon Sep 17 00:00:00 2001 From: Shia Date: Thu, 10 Jul 2025 19:19:18 +0900 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Chayoung You --- ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md index b571865ddb..36991e82a7 100644 --- a/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md +++ b/ko/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md @@ -23,11 +23,11 @@ resolv 라이브러리가 이러한 패킷을 파싱할 때, 라이브러리가 ## 해당 버전 -해당 취약점은 다음 Ruby 시리즈에 포함된 resolv gem에 영향을 미칩니다: +해당 취약점은 다음 Ruby 버전대에 포함된 resolv gem에 영향을 미칩니다. -* Ruby 3.0: `resolv` 0.2.2 이하 -* Ruby 3.1: `resolv` 0.3.0 -* Ruby 3.2: `resolv` 0.6.1 이하 +* Ruby 3.2 버전대: `resolv` 0.2.2 이하 +* Ruby 3.3 버전대: `resolv` 0.3.0 +* Ruby 3.4 버전대: `resolv` 0.6.1 이하 ## 도움을 준 사람