Release date:
2026-06-15 10:27:19 UTC
Description:
* SECURITY UPDATE: cgi DoS via super-linear CGI::Cookie.parse
- debian/patches/CVE-2025-27219.patch: in CGI::Cookie.parse
(lib/cgi/cookie.rb), merge repeated cookie-name values in place with
Array#concat instead of rebuilding the array with Array#+ on every
repeat, which was O(N^2) for N repetitions of a name. Backport of
upstream ruby/cgi 9907b76.
- CVE-2025-27219
* SECURITY UPDATE: cgi ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the catastrophically
backtracking "(?:.|\n)*?>" patterns in escapeElement and
unescapeElement (lib/cgi/util.rb) with linear-time
possessive/atomic patterns that also escape unclosed tags. Backport
of upstream ruby/cgi cd1eb08.
- CVE-2025-27220
* SECURITY UPDATE: uri credential leak combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: in lib/uri/generic.rb,
set_userinfo always assigns @password (so it can be cleared),
set_user no longer re-attaches the old password, host=/port= clear
the userinfo, initialize sets userinfo after host/port, and
merge()/+ replace the authority wholesale through the new
set_authority/authority accessors so the base URI's password is no
longer leaked, e.g.
(URI("http://user:pass@h") + "//new@h2/p") no longer keeps ":pass".
Backport of upstream ruby/uri 2789182, 5cec76b and 6c6449e.
- CVE-2025-61594
* SECURITY UPDATE: cgi HTTP response splitting via unvalidated header/cookie values
- debian/patches/CVE-2021-33621.patch: add _no_crlf_check in
lib/cgi/core.rb so every emitted status/header value (including
Set-Cookie) is rejected if it contains CR or LF, and add
TOKEN_RE/PATH_VALUE_RE/DOMAIN_VALUE_RE validation with validating
name=/path=/domain= setters in lib/cgi/cookie.rb. Backport of
upstream ruby/cgi 64c5045, 30107a4 and b46d41c, adapted to the
pre-gemified 2.6.10 cgi layout.
- CVE-2021-33621
Updated packages:
-
alt-ruby26_2.6.10-19_amd64.deb
sha:ab3bb2d9717e3ab877bf2832d839e3e14fa27d32
-
alt-ruby26-default-gems_2.6.10-19_amd64.deb
sha:6b1b31456d0271cf22597dafb892f3e069adc228
-
alt-ruby26-devel_2.6.10-19_amd64.deb
sha:8fe92f56308dea11fc8b7be649e16ac2056477a0
-
alt-ruby26-devel-doc_2.6.10-19_amd64.deb
sha:67f6416176d9a8c9e72dfe4b058b3d44af246b9a
-
alt-ruby26-doc_2.6.10-19_amd64.deb
sha:ea791df9b1e7c4c3acb014e4a50ca1ceed054538
-
alt-ruby26-libs_2.6.10-19_amd64.deb
sha:0c25b32922031478ba219ac5a51023b1ecfbf8cb
-
alt-ruby26-rubygem-bigdecimal_1.4.1-19_amd64.deb
sha:9e09c6f2f22da0aa0bae8e14bb16d04ed4f4572a
-
alt-ruby26-rubygem-did-you-mean_2.6.10-19_amd64.deb
sha:9a7b2303e408eee5418152ca00de21917f9152e4
-
alt-ruby26-rubygem-io-console_0.4.7-19_amd64.deb
sha:19422090300828611b2e1ec8f569bbe06fceeb6b
-
alt-ruby26-rubygem-json_2.1.0-19_amd64.deb
sha:42941f61deb3d558069741030e929966f8e085fe
-
alt-ruby26-rubygem-minitest_5.11.3-19_amd64.deb
sha:a1e5b1874ba5cc72b761bbffe426d462c10b11a4
-
alt-ruby26-rubygem-net-telnet_0.2.0-19_amd64.deb
sha:172f251f4660879ad7866e30421ce7c509041272
-
alt-ruby26-rubygem-openssl_2.6.10-19_amd64.deb
sha:d9bc30d27682195caf15c4b0735883a5e0174154
-
alt-ruby26-rubygem-power-assert_1.1.3-19_amd64.deb
sha:cc3b30aa76466ee3aee1c4c19a52f2d4069de8ca
-
alt-ruby26-rubygem-psych_3.1.0-19_amd64.deb
sha:fbcbccbc3bc511867940a6df34922eb26f058a0f
-
alt-ruby26-rubygem-rake_12.3.3-19_amd64.deb
sha:47c9aff94f94cc0a504e1f65e1fe0d2e1b374560
-
alt-ruby26-rubygem-rdoc_6.1.2.1-19_amd64.deb
sha:a44c80e529b7a56db9ac3ea708a509fb2384a248
-
alt-ruby26-rubygem-test-unit_3.2.9-19_amd64.deb
sha:13e67b1fe1860dda86e0a52f73119cc69a36daec
-
alt-ruby26-rubygem-typeprof_2.6.10-19_amd64.deb
sha:2070bd1687af9ae9a0693919d9c63a53900b9af8
-
alt-ruby26-rubygem-xmlrpc_0.3.0-19_amd64.deb
sha:1479f2b295aa8083c881dfb6a6fa606b3e1d76dc
-
alt-ruby26-rubygems_3.0.3.1-19_amd64.deb
sha:98a2803e3101ba53da1c2f951d7def781b7e1279
-
alt-ruby26-rubygems-devel_3.0.3.1-19_amd64.deb
sha:cf8001a7215ff814526cc1b08528b1e602beb340
-
alt-ruby26_2.6.10-19_arm64.deb
sha:7c27d072c8d35c93052fd852a2ee311d2aaf4819
-
alt-ruby26-default-gems_2.6.10-19_arm64.deb
sha:67cbf9f2a0ca46d0360bae028cd81a64d3efc7a6
-
alt-ruby26-devel_2.6.10-19_arm64.deb
sha:be404e95cb5161791fe07a23df31e7fc0a4184a4
-
alt-ruby26-devel-doc_2.6.10-19_arm64.deb
sha:4a34f020ea7e375d764ef9f890a42270fa896b79
-
alt-ruby26-doc_2.6.10-19_arm64.deb
sha:94e98a5f4c2c31e13d56726b60d34af02eee88cc
-
alt-ruby26-libs_2.6.10-19_arm64.deb
sha:9757cbd06734a308e7bae2f5fcb5ade37e1a789c
-
alt-ruby26-rubygem-bigdecimal_1.4.1-19_arm64.deb
sha:48ba56246b06e08281fb29f839ef4b4fa474acfd
-
alt-ruby26-rubygem-did-you-mean_2.6.10-19_arm64.deb
sha:c83e343760cc63ed5e0a3966445fe0a602d39ea7
-
alt-ruby26-rubygem-io-console_0.4.7-19_arm64.deb
sha:dfe2544b39d33be8c0afa99581014254fbc61f87
-
alt-ruby26-rubygem-json_2.1.0-19_arm64.deb
sha:b1a0a700e9dcad1b920d0db3cb16a7cbdf3df3d8
-
alt-ruby26-rubygem-minitest_5.11.3-19_arm64.deb
sha:422c6ef858030165e20108c68808114ab2ea5e88
-
alt-ruby26-rubygem-net-telnet_0.2.0-19_arm64.deb
sha:0c2b16976e9a58f0c39af839cab3f79efcd13990
-
alt-ruby26-rubygem-openssl_2.6.10-19_arm64.deb
sha:b4358b79b70bd542c43ae2f34f2aad889beffbb8
-
alt-ruby26-rubygem-power-assert_1.1.3-19_arm64.deb
sha:333a24f7ae721a1df17b709bcd252efd2e50fa5b
-
alt-ruby26-rubygem-psych_3.1.0-19_arm64.deb
sha:476f6f3dbbb030fde688d0cb20735bd1d417ef32
-
alt-ruby26-rubygem-rake_12.3.3-19_arm64.deb
sha:d3285ed2b123d418d6f1852a3d7a6dc530edff02
-
alt-ruby26-rubygem-rdoc_6.1.2.1-19_arm64.deb
sha:c6027afdc4d92890292c58ab019d0c2a868a7ee2
-
alt-ruby26-rubygem-test-unit_3.2.9-19_arm64.deb
sha:63772e3336c5525bfb519a79861e0c36fe89ec97
-
alt-ruby26-rubygem-typeprof_2.6.10-19_arm64.deb
sha:6cb3a6a9e7725fa437f3cacd99a3781d5f50d084
-
alt-ruby26-rubygem-xmlrpc_0.3.0-19_arm64.deb
sha:4e10eea510e21d756329d974788d195271064c7d
-
alt-ruby26-rubygems_3.0.3.1-19_arm64.deb
sha:4b73d2e1caf5a3179cf3ab89dd0f3e8c26b25a34
-
alt-ruby26-rubygems-devel_3.0.3.1-19_arm64.deb
sha:563d8a729084a64df2d0f82e09df1a9107eab2a6
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
