ruby · hsbt · Mar 28, 2023 · Mar 28, 2023 · sorah · Mar 28, 2023
@@ -13,16 +13,20 @@ This vulnerability has been assigned the CVE identifier [CVE-2023-28755](https:/
 
 ## Details
 
-A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
+A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
 
-Please update the uri gem to version 0.12.1 or later. We also release for old uri gem with Ruby releases. Please use them if you need to only security fix.
+The `uri` gem version 0.10.1, 0.10.2, 0.11.0, 0.12.0, and all versions 0.10.0 and prior are vulnerable for this vulnerability.
 
-* For Ruby 2.7 users: URI 0.10.0.1
-* For Ruby 3.0 users: URI 0.10.2
-* For Ruby 3.1 users: URI 0.11.1
-* For Ruby 3.2 users: URI 0.12.1
+## Recommended action
 
-You can use `gem update uri` to update it. If you are using bundler, please add `gem "uri", ">= 0.12.1"` to your `Gemfile`.
+We recommend to update the `uri` gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
+
+* For Ruby 2.7: Update to `uri` 0.10.0.1
+* For Ruby 3.0: Update to `uri` 0.10.2
+* For Ruby 3.1: Update to `uri` 0.11.1
+* For Ruby 3.2: Update to `uri` 0.12.1
+
+You can use `gem update uri` to update it. If you are using bundler, please add `gem "uri", ">= 0.12.1"` (or other version mentioned above) to your `Gemfile`.
 
 ## Affected versions