Release date:
2026-06-15 09:33:50 UTC
Description:
* SECURITY UPDATE: DoS in CGI::Cookie.parse via repeated cookie names
- debian/patches/CVE-2025-27219.patch: merge repeated cookie values
in place with cookies[name].concat(values) instead of the
super-linear values = cookies[name].value + values, so a Cookie:
header repeating one name parses in O(n) instead of O(n**2).
Adapted byte-identically from upstream ruby/cgi@9907b76.
- CVE-2025-27219
* SECURITY UPDATE: ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the lazy
backtracking element matcher ((?:.|\n)*?>) in escapeElement and
unescapeElement with possessive/atomic forms that cannot
backtrack, so a crafted unterminated tag no longer triggers
catastrophic backtracking. Adapted byte-identically from upstream
ruby/cgi@c9d1311; the upstream unclosed-tag regression tests are
added to test/cgi/test_cgi_util.rb.
- CVE-2025-27220
* SECURITY UPDATE: URI password leak when combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: clear userinfo fully in
set_userinfo/set_user, clear it on host=/port=, add an authority
reader and protected set_authority setter, and make merge replace
the whole authority atomically so combining a base URI with a
relative one no longer carries the base password to a new host.
Backported from upstream ruby/uri d3116ca ("Clear user info
totally..." fixing CVE-2025-27221, plus "Add authority accessor");
the merge() hunk is adapted to uri 0.10.0.2's layout. The
test/uri/test_generic.rb#test_set_component expectations are
updated and a test_merge_does_not_leak_credentials test is added.
- CVE-2025-61594
Updated packages:
-
alt-ruby27_2.7.8-6_amd64.deb
sha:0bae6e76a8b6a67d58281f0ff16030d9e306ddb5
-
alt-ruby27-default-gems_2.7.8-6_amd64.deb
sha:113ead1fde0370319b5df37adb1b98219ca11014
-
alt-ruby27-devel_2.7.8-6_amd64.deb
sha:44e9c886ab4e1dd8af8d9078b6fe087322d5c96f
-
alt-ruby27-doc_2.7.8-6_amd64.deb
sha:f88cec0f6cb2a52d7402e37b7901bc88db22a87c
-
alt-ruby27-libs_2.7.8-6_amd64.deb
sha:a8b0d15385e53a6103c3daeff8ee0a114026fa6f
-
alt-ruby27-rubygem-bigdecimal_2.0.0-6_amd64.deb
sha:104dcb8ac054a4eda1ea83d11ea2fd45df2ac01c
-
alt-ruby27-rubygem-bundler_2.2.24-6_amd64.deb
sha:bd7ccbde8ae1c22a5079adadabf106bc1061e001
-
alt-ruby27-rubygem-io-console_0.5.6-6_amd64.deb
sha:62ac30fd9c3ab6e58cd7a1ed74d81f01528efd6c
-
alt-ruby27-rubygem-irb_1.2.6-6_amd64.deb
sha:95f7d34436d881d1ab8f7ee07541c5f072a0dda8
-
alt-ruby27-rubygem-json_2.3.0-6_amd64.deb
sha:f87df4b13161cc834255e76b28a4d865a10359c6
-
alt-ruby27-rubygem-minitest_5.13.0-6_amd64.deb
sha:19cdcc014ce7367b93e25df1164ef3270371fd99
-
alt-ruby27-rubygem-net-telnet_0.2.0-6_amd64.deb
sha:8465967617417feab79b809e55eae0bbaff21960
-
alt-ruby27-rubygem-power-assert_1.1.7-6_amd64.deb
sha:9aab4cf12610750027fbbbf7484c62814322062e
-
alt-ruby27-rubygem-psych_3.1.0-6_amd64.deb
sha:d8ec022c34d44505f6be2009cf41b82bc5085d55
-
alt-ruby27-rubygem-rake_13.0.1-6_amd64.deb
sha:eec5f90847b88e8c84afb71fe90be779b8a179ff
-
alt-ruby27-rubygem-rdoc_6.2.1.1-6_amd64.deb
sha:8a22fe18a30a59405cfa6350a907c33e06e89820
-
alt-ruby27-rubygem-test-unit_3.3.4-6_amd64.deb
sha:8343d129b00103465cb4af8914285255f49b855e
-
alt-ruby27-rubygem-typeprof_2.7.8-6_amd64.deb
sha:9ac69aec9c80f72b24afc293b713f44993a7b2b2
-
alt-ruby27-rubygem-xmlrpc_0.3.0-6_amd64.deb
sha:9e31dac0731b1a48b31f5fcb4be7d735ca032fc9
-
alt-ruby27-rubygems_3.1.6-6_amd64.deb
sha:c2040c7a246b25a73a47d019aeba4c3936e46624
-
alt-ruby27-rubygems-devel_3.1.6-6_amd64.deb
sha:538826b68347a6b752a66f02da9bac77f28ac3cb
-
alt-ruby27_2.7.8-6_arm64.deb
sha:a7ff389953fcd2167d67162608ee584051936997
-
alt-ruby27-default-gems_2.7.8-6_arm64.deb
sha:a6a795752dd5fa474e24ae0817420390e30db374
-
alt-ruby27-devel_2.7.8-6_arm64.deb
sha:f9c5326bb0aa2aaee1f19f768594e18e1632df45
-
alt-ruby27-doc_2.7.8-6_arm64.deb
sha:7ba5e1e0ce73daa2e443d52e9b06f03b41701680
-
alt-ruby27-libs_2.7.8-6_arm64.deb
sha:4e8ff4a7fa5274630e5be0a2c27dbc12b95d4d72
-
alt-ruby27-rubygem-bigdecimal_2.0.0-6_arm64.deb
sha:c557b0adf45ee42fd2a83ba85818b69541e22d9a
-
alt-ruby27-rubygem-bundler_2.2.24-6_arm64.deb
sha:fb3515d99ecf7bb643c3e0018a18425ac33cc408
-
alt-ruby27-rubygem-io-console_0.5.6-6_arm64.deb
sha:ba0b47dfe8127a6d522c75b82ee0348af620ee70
-
alt-ruby27-rubygem-irb_1.2.6-6_arm64.deb
sha:7f77883b60e1860b5d5dc9b138e9a53d4ddd3c99
-
alt-ruby27-rubygem-json_2.3.0-6_arm64.deb
sha:efd6a25653110a269fdac671014e990566ac4f91
-
alt-ruby27-rubygem-minitest_5.13.0-6_arm64.deb
sha:fd5fbe533595cccace23aad7a5fd9d3344c4af6d
-
alt-ruby27-rubygem-net-telnet_0.2.0-6_arm64.deb
sha:5353c9c581ffb60b1269cd926ee58311c880a031
-
alt-ruby27-rubygem-power-assert_1.1.7-6_arm64.deb
sha:eabfe8f40ee8c7b368875a3262f94f4eab0e9419
-
alt-ruby27-rubygem-psych_3.1.0-6_arm64.deb
sha:5eeac84e9eff00e33cb953d029e45a5a1ca4041f
-
alt-ruby27-rubygem-rake_13.0.1-6_arm64.deb
sha:6393a8886e0690249879c998d6320ebe4c4a0e09
-
alt-ruby27-rubygem-rdoc_6.2.1.1-6_arm64.deb
sha:2bc4fe4d8808919d2fa48ae25ba0f3f3cca33c1c
-
alt-ruby27-rubygem-test-unit_3.3.4-6_arm64.deb
sha:97e72d7618176eca034257d262f17ecd0d378382
-
alt-ruby27-rubygem-typeprof_2.7.8-6_arm64.deb
sha:a2126aa1ad44e0c31cd9ceed21cfdfa5bac4feac
-
alt-ruby27-rubygem-xmlrpc_0.3.0-6_arm64.deb
sha:d66c3822c07c5a7c6553a0d4579256b71c5bbe2e
-
alt-ruby27-rubygems_3.1.6-6_arm64.deb
sha:60e907a24ad05275c66ebdf24d512baa38e50626
-
alt-ruby27-rubygems-devel_3.1.6-6_arm64.deb
sha:6d3707ccd960ad4b34720fbabfcc6b89d6d83c05
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
