🚨 [security] [ruby] Update resolv 0.4.0 → 0.6.2 (major)
Welcome to Depfu
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ resolv (0.4.0 → 0.6.2) · Repo
Security Advisories 🚨
🚨 resolv vulnerable to DoS via insufficient DNS domain name length validation
A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.
Details
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting
length of the name.This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
Affected Version
The vulnerability affects the resolv gem bundled with the following Ruby series:
- Ruby 3.2 series: resolv version 0.2.2 and earlier
- Ruby 3.3 series: resolv version 0.3.0
- Ruby 3.4 series: resolv version 0.6.1 and earlier
Credits
Thanks to Manu for discovering this issue.
History
Originally published at 2025-07-08 07:00:00 (UTC)
Release Notes
0.6.2
What's Changed
- Limit decompressed name length
- Bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot in #95
Full Changelog: v0.6.1...v0.6.2
0.6.1
What's Changed
- Bump rubygems/release-gem from 1.1.0 to 1.1.1 by @dependabot in #76
- Allow copy / paste from the readme by @tas50 in #77
- Bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #78
- Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #79
- Use port number 0 for ephemeral port if save by @nobu in #80
- Integrate JRuby changes by @headius in #75
w32error_raisenever returns by @nobu in #82- Load win32/resolv with rake test by @hsbt in #83
- Support powershell version of registry reference by @hsbt in #84
- Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #86
- Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #89
- Ractor compat by @HoneyryderChuck in #62
- quote registry value name 'NV Domain' properly by @YO4 in #90
- Update resolv.rb - fix spelling by @jbampton in #93
- Bump step-security/harden-runner from 2.11.1 to 2.12.1 by @dependabot in #94
New Contributors
- @tas50 made their first contribution in #77
- @headius made their first contribution in #75
- @HoneyryderChuck made their first contribution in #62
- @YO4 made their first contribution in #90
- @jbampton made their first contribution in #93
Full Changelog: v0.6.0...v0.6.1
0.6.0
What's Changed
- Fix CI by @hsbt in #66
- Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #65
- Omit Windows and MinGW platforms with with_udp_and_tcp by @hsbt in #67
- Build the extension by @nobu in #70
- Workaround for jruby by @nobu in #71
- Fix the location of win32/resolv.rb by @nobu in #72
- Securerandom should be always available by @deivid-rodriguez in #59
- Set timeout for JRuby by @nobu in #74
- Allow setting default Resolv::DNS config in Resolv.new by @jeremyevans in #43
Full Changelog: v0.5.0...v0.6.0
0.5.0
What's Changed
- Add an explicit with_udp_and_tcp helper to test_dns.rb by @KJTsanaktsidis in #49
- Clarify the license by @hsbt in #51
- Revert "Clarify the license" by @sorah in #52
- Import win32/resolv.rb that is required on Windows by @nobu in #54
- Clarify the license by @kou in #55
- ci: Exclude Ruby 2.5 on macos-latest by @kou in #56
- Fix TCP fallback with multiple nameservers [Bug #8285] by @opti in #50
- test_dns: Fix failure on Windows by @sorah in #58
- Add spec extensions by @nobu in #57
- test_dns: Fix FD leak by @hanazuki in #60
New Contributors
- @sorah made their first contribution in #52
- @kou made their first contribution in #55
- @opti made their first contribution in #50
Full Changelog: v0.4.0...v0.5.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)