Release date:
2026-06-15 09:19:40 UTC
Description:
* SECURITY UPDATE: DoS in CGI::Cookie.parse via repeated cookie names
- debian/patches/CVE-2025-27219.patch: merge repeated cookie values
in place with cookies[name].concat(values) instead of the
super-linear values = cookies[name].value + values, so a Cookie:
header repeating one name parses in O(n) instead of O(n**2).
Adapted byte-identically from upstream ruby/cgi@9907b76.
- CVE-2025-27219
* SECURITY UPDATE: ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the lazy
backtracking element matcher ((?:.|\n)*?>) in escapeElement and
unescapeElement with possessive/atomic forms that cannot
backtrack, so a crafted unterminated tag no longer triggers
catastrophic backtracking. Adapted byte-identically from upstream
ruby/cgi@c9d1311; the upstream unclosed-tag regression tests are
added to test/cgi/test_cgi_util.rb.
- CVE-2025-27220
* SECURITY UPDATE: URI password leak when combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: clear userinfo fully in
set_userinfo/set_user, clear it on host=/port=, add an authority
reader and protected set_authority setter, and make merge replace
the whole authority atomically so combining a base URI with a
relative one no longer carries the base password to a new host.
Backported from upstream ruby/uri d3116ca ("Clear user info
totally..." fixing CVE-2025-27221, plus "Add authority accessor");
the merge() hunk is adapted to uri 0.10.0.2's layout. The
test/uri/test_generic.rb#test_set_component expectations are
updated and a test_merge_does_not_leak_credentials test is added.
- CVE-2025-61594
Updated packages:
-
alt-ruby27_2.7.8-6_amd64.deb
sha:a8a811b4ae3e4059730bdda60bac36020513e2f2
-
alt-ruby27-default-gems_2.7.8-6_amd64.deb
sha:113ead1fde0370319b5df37adb1b98219ca11014
-
alt-ruby27-devel_2.7.8-6_amd64.deb
sha:8b5e9894f6c9f4b6113308c1d0a1aac6a873179e
-
alt-ruby27-doc_2.7.8-6_amd64.deb
sha:f88cec0f6cb2a52d7402e37b7901bc88db22a87c
-
alt-ruby27-libs_2.7.8-6_amd64.deb
sha:fcd99113067334288604a3ca1f4b6737322c9f4c
-
alt-ruby27-rubygem-bigdecimal_2.0.0-6_amd64.deb
sha:dba56ff9a5b00fb0bc72ce7782bc3c2653677b53
-
alt-ruby27-rubygem-bundler_2.2.24-6_amd64.deb
sha:bd7ccbde8ae1c22a5079adadabf106bc1061e001
-
alt-ruby27-rubygem-io-console_0.5.6-6_amd64.deb
sha:45f0e8126103c35bee17e055dc46489ec48c93f0
-
alt-ruby27-rubygem-irb_1.2.6-6_amd64.deb
sha:95f7d34436d881d1ab8f7ee07541c5f072a0dda8
-
alt-ruby27-rubygem-json_2.3.0-6_amd64.deb
sha:0bbde0dc6d37e882bd799d15f2855c1994e012ae
-
alt-ruby27-rubygem-minitest_5.13.0-6_amd64.deb
sha:19cdcc014ce7367b93e25df1164ef3270371fd99
-
alt-ruby27-rubygem-net-telnet_0.2.0-6_amd64.deb
sha:8465967617417feab79b809e55eae0bbaff21960
-
alt-ruby27-rubygem-power-assert_1.1.7-6_amd64.deb
sha:9aab4cf12610750027fbbbf7484c62814322062e
-
alt-ruby27-rubygem-psych_3.1.0-6_amd64.deb
sha:66395962535b4a518227e177d0307822adecd6ff
-
alt-ruby27-rubygem-rake_13.0.1-6_amd64.deb
sha:eec5f90847b88e8c84afb71fe90be779b8a179ff
-
alt-ruby27-rubygem-rdoc_6.2.1.1-6_amd64.deb
sha:8a22fe18a30a59405cfa6350a907c33e06e89820
-
alt-ruby27-rubygem-test-unit_3.3.4-6_amd64.deb
sha:8343d129b00103465cb4af8914285255f49b855e
-
alt-ruby27-rubygem-typeprof_2.7.8-6_amd64.deb
sha:9ac69aec9c80f72b24afc293b713f44993a7b2b2
-
alt-ruby27-rubygem-xmlrpc_0.3.0-6_amd64.deb
sha:9e31dac0731b1a48b31f5fcb4be7d735ca032fc9
-
alt-ruby27-rubygems_3.1.6-6_amd64.deb
sha:c2040c7a246b25a73a47d019aeba4c3936e46624
-
alt-ruby27-rubygems-devel_3.1.6-6_amd64.deb
sha:538826b68347a6b752a66f02da9bac77f28ac3cb
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
