aearly
commented
1 month ago Thanks for fixing this. The slightly expanded regex is totally fine. Hopefully this keeps the CVE hunters with regex scanners at bay.
Closed kevinbackhouse closed 1 month ago
aearly
commented
1 month ago Thanks for fixing this. The slightly expanded regex is totally fine. Hopefully this keeps the CVE hunters with regex scanners at bay.
wangweiu
commented
1 month ago hi @aearly , Is this fix for the CVE-2024-39249? When will a new version be ready? Thanks.
zteric
commented
4 weeks ago Hi @aearly , can we expect a quick release for this fix?
aearly
commented
4 weeks ago Published in 3.2.6. Also note that this was an invalid, disputed CVE.
This fixes the ReDoS issue that was reported in #1975.
I couldn't find a way to fix the ReDoS without making minor changes to the behavior of the regex, so I've split this PR into two commits to show what I've done. The first commit simplifies the regex, but in a way that will make it match a superset of the strings that it matched before. The second commit fixes the ReDoS (in both regexes) without changing their behavior.