Release date:
2026-06-15 09:54:37 UTC
Description:
* SECURITY UPDATE: cgi DoS via super-linear CGI::Cookie.parse
- debian/patches/CVE-2025-27219.patch: in CGI::Cookie.parse
(lib/cgi/cookie.rb), merge repeated cookie-name values in place with
Array#concat instead of rebuilding the array with Array#+ on every
repeat, which was O(N^2) for N repetitions of a name. Backport of
upstream ruby/cgi 9907b76.
- CVE-2025-27219
* SECURITY UPDATE: cgi ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the catastrophically
backtracking "(?:.|\n)*?>" patterns in escapeElement and
unescapeElement (lib/cgi/util.rb) with linear-time
possessive/atomic patterns that also escape unclosed tags. Backport
of upstream ruby/cgi cd1eb08.
- CVE-2025-27220
* SECURITY UPDATE: uri credential leak combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: in lib/uri/generic.rb,
set_userinfo always assigns @password (so it can be cleared),
set_user no longer re-attaches the old password, host=/port= clear
the userinfo, initialize sets userinfo after host/port, and
merge()/+ replace the authority wholesale through the new
set_authority/authority accessors so the base URI's password is no
longer leaked, e.g.
(URI("http://user:pass@h") + "//new@h2/p") no longer keeps ":pass".
Backport of upstream ruby/uri 2789182, 5cec76b and 6c6449e.
- CVE-2025-61594
* SECURITY UPDATE: cgi HTTP response splitting via unvalidated header/cookie values
- debian/patches/CVE-2021-33621.patch: add _no_crlf_check in
lib/cgi/core.rb so every emitted status/header value (including
Set-Cookie) is rejected if it contains CR or LF, and add
TOKEN_RE/PATH_VALUE_RE/DOMAIN_VALUE_RE validation with validating
name=/path=/domain= setters in lib/cgi/cookie.rb. Backport of
upstream ruby/cgi 64c5045, 30107a4 and b46d41c, adapted to the
pre-gemified 2.6.10 cgi layout.
- CVE-2021-33621
Updated packages:
-
alt-ruby26_2.6.10-19_amd64.deb
sha:b68059103efb535d140f4bd3ee87819a6f078a1d
-
alt-ruby26-default-gems_2.6.10-19_amd64.deb
sha:6b1b31456d0271cf22597dafb892f3e069adc228
-
alt-ruby26-devel_2.6.10-19_amd64.deb
sha:909300b55923d213b3a880f089833ddbc652e07f
-
alt-ruby26-devel-doc_2.6.10-19_amd64.deb
sha:67f6416176d9a8c9e72dfe4b058b3d44af246b9a
-
alt-ruby26-doc_2.6.10-19_amd64.deb
sha:ea791df9b1e7c4c3acb014e4a50ca1ceed054538
-
alt-ruby26-libs_2.6.10-19_amd64.deb
sha:2fef37d820440e041aa1839c15ff852acdedb885
-
alt-ruby26-rubygem-bigdecimal_1.4.1-19_amd64.deb
sha:00a5e4ebc23f00ee349cedc0e4f0ba73e5c7cc8d
-
alt-ruby26-rubygem-did-you-mean_2.6.10-19_amd64.deb
sha:9a7b2303e408eee5418152ca00de21917f9152e4
-
alt-ruby26-rubygem-io-console_0.4.7-19_amd64.deb
sha:e41544a5c062f28fd3c34e78ce564c1aef1ab516
-
alt-ruby26-rubygem-json_2.1.0-19_amd64.deb
sha:ccd5b88acac5ef7afcc4dbc137027d2dcb127f40
-
alt-ruby26-rubygem-minitest_5.11.3-19_amd64.deb
sha:a1e5b1874ba5cc72b761bbffe426d462c10b11a4
-
alt-ruby26-rubygem-net-telnet_0.2.0-19_amd64.deb
sha:172f251f4660879ad7866e30421ce7c509041272
-
alt-ruby26-rubygem-openssl_2.6.10-19_amd64.deb
sha:f6143c2c91d9b1feaf90fabb6213a3a779b41758
-
alt-ruby26-rubygem-power-assert_1.1.3-19_amd64.deb
sha:cc3b30aa76466ee3aee1c4c19a52f2d4069de8ca
-
alt-ruby26-rubygem-psych_3.1.0-19_amd64.deb
sha:4396b34866820d29d316bbef22ede929acfbddaa
-
alt-ruby26-rubygem-rake_12.3.3-19_amd64.deb
sha:47c9aff94f94cc0a504e1f65e1fe0d2e1b374560
-
alt-ruby26-rubygem-rdoc_6.1.2.1-19_amd64.deb
sha:a44c80e529b7a56db9ac3ea708a509fb2384a248
-
alt-ruby26-rubygem-test-unit_3.2.9-19_amd64.deb
sha:13e67b1fe1860dda86e0a52f73119cc69a36daec
-
alt-ruby26-rubygem-typeprof_2.6.10-19_amd64.deb
sha:2070bd1687af9ae9a0693919d9c63a53900b9af8
-
alt-ruby26-rubygem-xmlrpc_0.3.0-19_amd64.deb
sha:1479f2b295aa8083c881dfb6a6fa606b3e1d76dc
-
alt-ruby26-rubygems_3.0.3.1-19_amd64.deb
sha:98a2803e3101ba53da1c2f951d7def781b7e1279
-
alt-ruby26-rubygems-devel_3.0.3.1-19_amd64.deb
sha:cf8001a7215ff814526cc1b08528b1e602beb340
-
alt-ruby26_2.6.10-19_arm64.deb
sha:31da34704956c3887c379ff99dc764f1f2942884
-
alt-ruby26-default-gems_2.6.10-19_arm64.deb
sha:67cbf9f2a0ca46d0360bae028cd81a64d3efc7a6
-
alt-ruby26-devel_2.6.10-19_arm64.deb
sha:55c28c0992d18b4a057b2ab6185d6e9564b8a17e
-
alt-ruby26-devel-doc_2.6.10-19_arm64.deb
sha:4a34f020ea7e375d764ef9f890a42270fa896b79
-
alt-ruby26-doc_2.6.10-19_arm64.deb
sha:94e98a5f4c2c31e13d56726b60d34af02eee88cc
-
alt-ruby26-libs_2.6.10-19_arm64.deb
sha:6da308942e47ba26f63697467a4e39885b348113
-
alt-ruby26-rubygem-bigdecimal_1.4.1-19_arm64.deb
sha:664f78cb301bbd4902b8d6d4d5671b5b7bd94670
-
alt-ruby26-rubygem-did-you-mean_2.6.10-19_arm64.deb
sha:c83e343760cc63ed5e0a3966445fe0a602d39ea7
-
alt-ruby26-rubygem-io-console_0.4.7-19_arm64.deb
sha:948484aa45d131a4494c61622483fcdfbf5d47c1
-
alt-ruby26-rubygem-json_2.1.0-19_arm64.deb
sha:23d0d47a7cd32ab4cae75be2b0bc89cd8c84861c
-
alt-ruby26-rubygem-minitest_5.11.3-19_arm64.deb
sha:422c6ef858030165e20108c68808114ab2ea5e88
-
alt-ruby26-rubygem-net-telnet_0.2.0-19_arm64.deb
sha:0c2b16976e9a58f0c39af839cab3f79efcd13990
-
alt-ruby26-rubygem-openssl_2.6.10-19_arm64.deb
sha:8775ba76a1340acbc1cf63c274490ee84fa96146
-
alt-ruby26-rubygem-power-assert_1.1.3-19_arm64.deb
sha:333a24f7ae721a1df17b709bcd252efd2e50fa5b
-
alt-ruby26-rubygem-psych_3.1.0-19_arm64.deb
sha:895d56af3f4834ecf72e524be08623dfa277712a
-
alt-ruby26-rubygem-rake_12.3.3-19_arm64.deb
sha:d3285ed2b123d418d6f1852a3d7a6dc530edff02
-
alt-ruby26-rubygem-rdoc_6.1.2.1-19_arm64.deb
sha:c6027afdc4d92890292c58ab019d0c2a868a7ee2
-
alt-ruby26-rubygem-test-unit_3.2.9-19_arm64.deb
sha:63772e3336c5525bfb519a79861e0c36fe89ec97
-
alt-ruby26-rubygem-typeprof_2.6.10-19_arm64.deb
sha:6cb3a6a9e7725fa437f3cacd99a3781d5f50d084
-
alt-ruby26-rubygem-xmlrpc_0.3.0-19_arm64.deb
sha:4e10eea510e21d756329d974788d195271064c7d
-
alt-ruby26-rubygems_3.0.3.1-19_arm64.deb
sha:4b73d2e1caf5a3179cf3ab89dd0f3e8c26b25a34
-
alt-ruby26-rubygems-devel_3.0.3.1-19_arm64.deb
sha:563d8a729084a64df2d0f82e09df1a9107eab2a6
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
