Source: ruby-json Version: 2.19.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby-json. CVE-2026-33210[0]: | Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to | before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string | injection vulnerability can lead to denial of service attacks or | information disclosure, when the allow_duplicate_key: false parsing | option is used to parse user supplied documents. This issue has been | patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33210 https://www.cve.org/CVERecord?id=CVE-2026-33210 [1] https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 [2] https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
