==========================================================================
Ubuntu Security Notice USN-7840-1
October 27, 2025
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. This update addresses the issue
in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39908, CVE-2024-41123)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with many entity expansions. An attacker
could possibly use this issue to cause REXML to consume excessive
resources, leading to a denial of service. Ubuntu 20.04 LTS was previously
addressed in USN-7091-2. This update addresses the issue in Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. (CVE-2024-41946)
It was discovered that the WEBrick module bundled into Ruby incorrectly
handled having both a Content-Length header and a Transfer-Encoding header.
A remote attacker could possibly use this issue to perform a HTTP request
smuggling attack. (CVE-2024-47220)
It was discovered that the WEBrick module bundled into Ruby incorrectly
parsed HTTP headers. In configurations where the WEBrick module is placed
behind an HTTP proxy, a remote attacker could possibly use this issue to
perform an HTTP Request Smuggling attack. (CVE-2025-6442)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.18+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libruby2.5 2.5.1-1ubuntu1.16+esm6
Available with Ubuntu Pro
ruby2.5 2.5.1-1ubuntu1.16+esm6
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libruby2.3 2.3.1-2~ubuntu16.04.16+esm11
Available with Ubuntu Pro
ruby2.3 2.3.1-2~ubuntu16.04.16+esm11
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7840-1
CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946,
CVE-2024-47220, CVE-2025-6442
No comments:
Post a Comment