Release date:
2026-06-15 08:40:53 UTC
Description:
* SECURITY UPDATE: DoS in CGI::Cookie.parse via repeated cookie names
- debian/patches/CVE-2025-27219.patch: merge repeated cookie values
in place with cookies[name].concat(values) instead of the
super-linear values = cookies[name].value + values, so a Cookie:
header repeating one name parses in O(n) instead of O(n**2).
Adapted byte-identically from upstream ruby/cgi@9907b76.
- CVE-2025-27219
* SECURITY UPDATE: ReDoS in CGI::Util#escapeElement
- debian/patches/CVE-2025-27220.patch: replace the lazy
backtracking element matcher ((?:.|\n)*?>) in escapeElement and
unescapeElement with possessive/atomic forms that cannot
backtrack, so a crafted unterminated tag no longer triggers
catastrophic backtracking. Adapted byte-identically from upstream
ruby/cgi@c9d1311; the upstream unclosed-tag regression tests are
added to test/cgi/test_cgi_util.rb.
- CVE-2025-27220
* SECURITY UPDATE: URI password leak when combining URIs (CVE-2025-27221 bypass)
- debian/patches/CVE-2025-61594.patch: clear userinfo fully in
set_userinfo/set_user, clear it on host=/port=, add an authority
reader and protected set_authority setter, and make merge replace
the whole authority atomically so combining a base URI with a
relative one no longer carries the base password to a new host.
Backported from upstream ruby/uri d3116ca ("Clear user info
totally..." fixing CVE-2025-27221, plus "Add authority accessor");
the merge() hunk is adapted to uri 0.10.0.2's layout. The
test/uri/test_generic.rb#test_set_component expectations are
updated and a test_merge_does_not_leak_credentials test is added.
- CVE-2025-61594
Updated packages:
-
alt-ruby27_2.7.8-6_amd64.deb
sha:a542719752c5a81140b1da613be4416bb8672bf2
-
alt-ruby27-default-gems_2.7.8-6_amd64.deb
sha:8e677fb8fd0cbfd8f0075fa1cf85526d2bcb9fef
-
alt-ruby27-devel_2.7.8-6_amd64.deb
sha:80692ed724cd76c7e878f570ebb7f4796927d464
-
alt-ruby27-doc_2.7.8-6_amd64.deb
sha:55a275454dd30164e7567efbba4df3d6a0b4f4d9
-
alt-ruby27-libs_2.7.8-6_amd64.deb
sha:fabd0c1d03bca1b6e0fba168c8c9c2a9a9ef5102
-
alt-ruby27-rubygem-bigdecimal_2.0.0-6_amd64.deb
sha:ee451685d9d28d511a2f0a5723a52c0cd66701b8
-
alt-ruby27-rubygem-bundler_2.2.24-6_amd64.deb
sha:676290c70b6abd4d279eaf666049a63398e25b0a
-
alt-ruby27-rubygem-io-console_0.5.6-6_amd64.deb
sha:774ee4f030f5a2e8767202abfe5eeb78f6cec9c7
-
alt-ruby27-rubygem-irb_1.2.6-6_amd64.deb
sha:228a5279046f00cad43783d7cf93b5c4f3db0cec
-
alt-ruby27-rubygem-json_2.3.0-6_amd64.deb
sha:85fb048f082c3066adfbfd46a9d7c70c0145a965
-
alt-ruby27-rubygem-minitest_5.13.0-6_amd64.deb
sha:fb65461f28af0367dbe5a03ea746b0753354cf87
-
alt-ruby27-rubygem-net-telnet_0.2.0-6_amd64.deb
sha:287e462fa280f6c9f7c0711446a8f75dd0e2a459
-
alt-ruby27-rubygem-power-assert_1.1.7-6_amd64.deb
sha:2db191499d3260615cbb1310231a7816a96e4919
-
alt-ruby27-rubygem-psych_3.1.0-6_amd64.deb
sha:5a4effbe318fcce1d2cc962cf87152de3319e54d
-
alt-ruby27-rubygem-rake_13.0.1-6_amd64.deb
sha:c498fa1ccfd7e214e8b06d06baf05617b2240748
-
alt-ruby27-rubygem-rdoc_6.2.1.1-6_amd64.deb
sha:cf1423348a4548f02dc93bd36a0dc861bfdfe3a8
-
alt-ruby27-rubygem-test-unit_3.3.4-6_amd64.deb
sha:23ae3b9dd8a078d8f413e94cc099a94d7a6f548a
-
alt-ruby27-rubygem-typeprof_2.7.8-6_amd64.deb
sha:f1f6b0ab5e769fddd1584409e0f85c942a61bb88
-
alt-ruby27-rubygem-xmlrpc_0.3.0-6_amd64.deb
sha:02c7e35bbd10b4b2524bc49b0beb52400c893539
-
alt-ruby27-rubygems_3.1.6-6_amd64.deb
sha:9054a746f756b3b3a9b156e8fab76e806e53478f
-
alt-ruby27-rubygems-devel_3.1.6-6_amd64.deb
sha:6159be32ed9a5068ce2e95c9c08613c21db7d036
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
