Release date:
2026-06-15 10:13:26 UTC
Description:
* SECURITY UPDATE: DoS in CGI::Cookie.parse via repeated cookie names
- debian/patches/CVE-2025-27219.patch: merge repeated cookie values
in place with cookies[name].concat(values) instead of the
super-linear values = cookies[name].value + values, so a Cookie:
header repeating one name parses in O(n) instead of O(n**2).
Adapted byte-identically from upstream ruby/cgi@9907b76.
- CVE-2025-27219
* SECURITY UPDATE: ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the lazy
backtracking element matcher ((?:.|\n)*?>) in escapeElement and
unescapeElement with possessive/atomic forms that cannot
backtrack, so a crafted unterminated tag no longer triggers
catastrophic backtracking. Adapted byte-identically from upstream
ruby/cgi@c9d1311; the upstream unclosed-tag regression tests are
added to test/cgi/test_cgi_util.rb.
- CVE-2025-27220
* SECURITY UPDATE: URI password leak when combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: clear userinfo fully in
set_userinfo/set_user, clear it on host=/port=, add an authority
reader and protected set_authority setter, and make merge replace
the whole authority atomically so combining a base URI with a
relative one no longer carries the base password to a new host.
Backported from upstream ruby/uri d3116ca ("Clear user info
totally..." fixing CVE-2025-27221, plus "Add authority accessor");
the merge() hunk is adapted to uri 0.10.0.2's layout. The
test/uri/test_generic.rb#test_set_component expectations are
updated and a test_merge_does_not_leak_credentials test is added.
- CVE-2025-61594
Updated packages:
-
alt-ruby27_2.7.8-6_amd64.deb
sha:9d44447a61ff905de8d3c622ef1049485b1b3329
-
alt-ruby27-default-gems_2.7.8-6_amd64.deb
sha:7ac895cfd6eaaf85e0e1a7f17a30fd777732a573
-
alt-ruby27-devel_2.7.8-6_amd64.deb
sha:bc121a6af90b8c07e0c3855a7b8020ac72e16c90
-
alt-ruby27-doc_2.7.8-6_amd64.deb
sha:4f4293c86aaef9b82ecb0188f2eea25bae2188df
-
alt-ruby27-libs_2.7.8-6_amd64.deb
sha:9ef013a53532072c897412298e3aabca2ae01360
-
alt-ruby27-rubygem-bigdecimal_2.0.0-6_amd64.deb
sha:0f169fd417f2b3e465549cc83fc709f9a8d80c02
-
alt-ruby27-rubygem-bundler_2.2.24-6_amd64.deb
sha:96848fbe6eb152e985a97bd09a808b042cfce8de
-
alt-ruby27-rubygem-io-console_0.5.6-6_amd64.deb
sha:e18acd4882a81d3f01942c8ed19ecff9829c9c2f
-
alt-ruby27-rubygem-irb_1.2.6-6_amd64.deb
sha:bb69d2ef0d18c87f858c10c9eaf7c4adcffc8f87
-
alt-ruby27-rubygem-json_2.3.0-6_amd64.deb
sha:b2033a578a5b98a47e51fa35ac227ccca672d48a
-
alt-ruby27-rubygem-minitest_5.13.0-6_amd64.deb
sha:7c0a713a603bbdd2f1bf7ee15cb7db1e583f7d61
-
alt-ruby27-rubygem-net-telnet_0.2.0-6_amd64.deb
sha:4a65b659252fb5b8f0fd56ffcd3b18a28d837ac1
-
alt-ruby27-rubygem-power-assert_1.1.7-6_amd64.deb
sha:bd53df21f9073b865d82ac88dbb61b280f37c53c
-
alt-ruby27-rubygem-psych_3.1.0-6_amd64.deb
sha:72f4638ccbb96ea54fb8b903750727733b8b58be
-
alt-ruby27-rubygem-rake_13.0.1-6_amd64.deb
sha:feda303d61260347a61a44987a1515d3dce98f63
-
alt-ruby27-rubygem-rdoc_6.2.1.1-6_amd64.deb
sha:d4e408fcb838dc13ce31258eac07c1bdfb5847ef
-
alt-ruby27-rubygem-test-unit_3.3.4-6_amd64.deb
sha:252a03c398c4681c465ae8eb718fc54cb450e51c
-
alt-ruby27-rubygem-typeprof_2.7.8-6_amd64.deb
sha:2d8168b7d0092aeb075c1763a945890af42dc296
-
alt-ruby27-rubygem-xmlrpc_0.3.0-6_amd64.deb
sha:4210b4353ac4c061923815e392a87e5cd2b01fc5
-
alt-ruby27-rubygems_3.1.6-6_amd64.deb
sha:bd81429e7afa1d48bb16ab253588b553e1181283
-
alt-ruby27-rubygems-devel_3.1.6-6_amd64.deb
sha:0c6f4bb8db2958685a37a3f50d401148c2951381
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
