Add new uri advisory

gems/uri/CVE-2023-36617.yml

@@ -0,0 +1,48 @@
+---
+gem: uri
+cve: 2023-36617
+ghsa: hww2-5g85-429m
+url: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
+title: ReDoS vulnerability in URI
+date: 2023-06-29
+description: |
+  We have released the uri gem version 0.12.2, 0.10.3 that has a
+  security fix for a ReDoS vulnerability. This vulnerability has
+  been assigned the CVE identifier CVE-2023-36617.
+
+  Details
+
+  A ReDoS issue was discovered in the URI component through 0.12.1
+  for Ruby. The URI parser mishandles invalid URLs that have specific
+  characters. There is an increase in execution time for parsing
+  strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.
+
+  NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755.
+
+  The uri gem version 0.12.1 and all versions prior 0.12.1 are
+  vulnerable for this vulnerability.
+
+  Recommended action
+
+  We recommend to update the uri gem to 0.12.2.
+  In order to ensure compatibility with bundled version in older
+  Ruby series, you may update as follows instead:
+
+  * For Ruby 3.0: Update to uri 0.10.3
+  * For Ruby 3.1 and 3.2: Update to uri 0.12.2
+    You can use gem update uri to update it. If you are using bundler,
+    please add gem "uri", ">= 0.12.2" (or other version mentioned
+    above) to your Gemfile.
+
+  * Affected versions: uri gem 0.12.1 or before
+patched_versions:
+  - "~> 0.10.3"
+  - ">= 0.12.2"
+related:
+  cve:
+    - 2023-28755
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-36617
+    - https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
+    - https://rubygems.org/gems/uri/versions/0.12.2
+    - https://github.com/advisories/GHSA-hww2-5g85-429m