-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmfz2cYFAwAAAAAACgkQZWnYVadEvpP3
nQ/+NyS+msK25YV1Z6dDHuKePo+rV7z4Layze1kma1Zmu8/xeKnes9aKN5+TPP47lKe//EB9iqAW
GAE36lTpRuw1kBJRXg9tY1gVQ+HJEzMG+zolsOUknB1lC/joRmPsdGm9u+a2vZ+bXe4tvOCbtRms
iM+wdTFPcAh8t2s+TGrwR7FYCrcOZzBGQ1SDIe6Ly8z2Crbr3FccA5unFERZtfbXozA60++bMbrw
GGDQ3n7MMJoLEqBEk+ELXjI6vzR2Hv8ArEEUg5K15cHAUgBp8RXpTx28v9F6dn2M61DxWT+q8pL4
xeRX4rSU/um+b0u4rQghsjGUy3NMkMTCW3eQxrG+vgne1ZwzVs12FlbPCqk2eLf3Ig2PGMC+y7Kt
sgu8I1oxMkIrEx6U0pcz4olWsMYvSNp8MhLxwe5GCGRMuAYR7kgdbTTib++HiZ1Xxu6icgRgeqq1
D1UgMXrw5GrGNbihZ9Wz2u9FuzqHHR/EgBKRli64jZC13sl47sdBCh2RmMM3MatDc1UD0Xth/qYd
X5+sDjjwS+1R4mUFAIFfymz5ymyV3NBRsyBjo0q2G7i+XB7eXO5xjiUSwr/4ZxVEuOOI8ETlnXEU
0Yt3Axj33vzYHd2DD2fUXWLuunDeuDhU+R6axkx35tRZIWDq2zwzEe2/9Wzyjm+F7H8caDGwTrgB
Qus=
=5qWN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7418-1
April 07, 2025
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby3.3: Object-oriented scripting language
- ruby3.2: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language
- ruby2.7: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
cookies. A remote attacker could possibly use this issue to consume
resources, leading to a denial of service. (CVE-2025-27219)
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
regular expressions. A remote attacker could possibly use this issue to
consume resources, leading to a denial of service. (CVE-2025-27220)
It was discovered that the Ruby URI gem incorrectly handled certain URI
handling methods. A remote attacker could possibly use this issue to leak
authentication credentials. (CVE-2025-27221)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libruby3.3 3.3.4-2ubuntu5.2
ruby3.3 3.3.4-2ubuntu5.2
Ubuntu 24.04 LTS
libruby3.2 3.2.3-1ubuntu0.24.04.5
ruby3.2 3.2.3-1ubuntu0.24.04.5
Ubuntu 22.04 LTS
libruby3.0 3.0.2-7ubuntu2.10
ruby3.0 3.0.2-7ubuntu2.10
Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.18
ruby2.7 2.7.0-5ubuntu1.18
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7418-1
CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398,
CVE-2025-25186, CVE-2025-27219, CVE-2025-27220, CVE-2025-27221
Package Information:
https://launchpad.net/ubuntu/+source/ruby3.3/3.3.4-2ubuntu5.2
https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.5
https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.10
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.18
No comments:
Post a Comment