[SECURITY] [DLA 4082-1] ruby2.7 security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4082-1] ruby2.7 security update
From: rouca@debian.org
Date: Mon, 10 Mar 2025 22:20:54 +0000
Message-id: <[🔎] 94a8548f0b040ba66862a82a7df6f74e@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4082-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
March 10, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby2.7
Version        : 2.7.4-1+deb11u5
CVE ID         : CVE-2025-27219 CVE-2025-27220 CVE-2025-27221

Ruby a popular language was affected by multiple vulnerabilities

CVE-2025-27219

    In the CGI gem, the CGI::Cookie.parse method in the CGI library
    contains a potential Denial of Service (DoS) vulnerability.
    The method does not impose any limit on the length of the raw cookie
    value it processes. This oversight can lead to excessive
    resource consumption when parsing extremely large cookies

CVE-2025-27220

    In the CGI gem, a Regular Expression Denial of Service (ReDoS)
    vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

    In the URI gem, the URI handling methods
    (URI.join, URI#merge, URI#+) have an inadvertent leakage of
    authentication credentials because userinfo is retained
    even after changing the host.

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u5.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmfPZcYACgkQADoaLapB
CF+3qw//eYeqGMSNBIA3cIVJTYqYfWKYdRa8OvvCoVpsP42PTiYLXGSkd148XYam
q+D3qghWNaPR5Z2qboR65K6O33xj8t0HQQ7o/KTB9YEDHDvhitC2FuEwGhRFr3Et
Ui8qDnJGheeqNVBbZeLx6ip3/2TIQhG6Adpoio+jetbgbeCLqRYt9kiA6TH4Isgw
inNJyWntWfE+qP/0ATvA2ZlcJTVfPcradEdLpeNacEavoyiz1dq+xNH0coHe0LFn
rDbfYXl1sFeIuvdrxoReOvO1eD+LV2Q6PC37gG650QTCRdzZ3NHjBUbZZ6KRbKtp
UBvkLCSOWsGCFP/xKhzsF5QDABBM34njHV9yttRE5MjNwtVx4b0TFFjBtXNYX5t2
h2OMWO8uAgEEV2cFmjJDuUprtBnbE/QEymOiAzGrTYhSBpqJivjK4kYtOpg7QYS7
zQZrNTQQc5V9S/iP9SRrFtUK4PDYesvPJIaKw+Dp+chwwA2aYV/anlpaXHNnkWk9
+ewjDkwXNjstm/Kk9dgrPpWKBZ8d23wbtMC4Wa8o3CNm9LIvb31aX7kc9Q8uJFD2
5sKGWjfqkutn3sp0fYqfsEqosTeKjHWBfYw6LcyCTqXKiKs2s4wJMoBjTn+JE1iO
FPmjwYcee1apB8Ik8MQb27UyIklobt+iO1j2LqQFsrbmDJbyygE=
=DKUG
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4080-1] libaws security update
Next by Date: [SECURITY] [DLA 4083-1] squid security update
Previous by thread: [SECURITY] [DLA 4080-1] libaws security update
Next by thread: [SECURITY] [DLA 4083-1] squid security update
Index(es):
- Date
- Thread