Ubuntu alert USN-7418-1 (ruby2.7, ruby3.0, ruby3.2, ruby3.3)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com> | |
| Subject: | [USN-7418-1] Ruby vulnerabilities | |
| Date: | Mon, 07 Apr 2025 09:57:26 -0400 | |
| Message-ID: | <6fc0c67a-0c69-44db-9cc2-387307b79cba@canonical.com> |
========================================================================== Ubuntu Security Notice USN-7418-1 April 07, 2025 ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Ruby. Software Description: - ruby3.3: Object-oriented scripting language - ruby3.2: Object-oriented scripting language - ruby3.0: Object-oriented scripting language - ruby2.7: Object-oriented scripting language Details: It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398) It was discovered that Ruby incorrectly handled expanding ranges in the net-imap response parser. If a user or automated system were tricked into connecting to a malicious IMAP server, a remote attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186) It was discovered that the Ruby CGI gem incorrectly handled parsing certain cookies. A remote attacker could possibly use this issue to consume resources, leading to a denial of service. (CVE-2025-27219) It was discovered that the Ruby CGI gem incorrectly handled parsing certain regular expressions. A remote attacker could possibly use this issue to consume resources, leading to a denial of service. (CVE-2025-27220) It was discovered that the Ruby URI gem incorrectly handled certain URI handling methods. A remote attacker could possibly use this issue to leak authentication credentials. (CVE-2025-27221) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 libruby3.3 3.3.4-2ubuntu5.2 ruby3.3 3.3.4-2ubuntu5.2 Ubuntu 24.04 LTS libruby3.2 3.2.3-1ubuntu0.24.04.5 ruby3.2 3.2.3-1ubuntu0.24.04.5 Ubuntu 22.04 LTS libruby3.0 3.0.2-7ubuntu2.10 ruby3.0 3.0.2-7ubuntu2.10 Ubuntu 20.04 LTS libruby2.7 2.7.0-5ubuntu1.18 ruby2.7 2.7.0-5ubuntu1.18 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7418-1 CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398, CVE-2025-25186, CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 Package Information: https://launchpad.net/ubuntu/+source/ruby3.3/3.3.4-2ubunt... https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubunt... https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubunt... https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubunt...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmfz2cYFAwAAAAAACgkQZWnYVadEvpP3 nQ/+NyS+msK25YV1Z6dDHuKePo+rV7z4Layze1kma1Zmu8/xeKnes9aKN5+TPP47lKe//EB9iqAW GAE36lTpRuw1kBJRXg9tY1gVQ+HJEzMG+zolsOUknB1lC/joRmPsdGm9u+a2vZ+bXe4tvOCbtRms iM+wdTFPcAh8t2s+TGrwR7FYCrcOZzBGQ1SDIe6Ly8z2Crbr3FccA5unFERZtfbXozA60++bMbrw GGDQ3n7MMJoLEqBEk+ELXjI6vzR2Hv8ArEEUg5K15cHAUgBp8RXpTx28v9F6dn2M61DxWT+q8pL4 xeRX4rSU/um+b0u4rQghsjGUy3NMkMTCW3eQxrG+vgne1ZwzVs12FlbPCqk2eLf3Ig2PGMC+y7Kt sgu8I1oxMkIrEx6U0pcz4olWsMYvSNp8MhLxwe5GCGRMuAYR7kgdbTTib++HiZ1Xxu6icgRgeqq1 D1UgMXrw5GrGNbihZ9Wz2u9FuzqHHR/EgBKRli64jZC13sl47sdBCh2RmMM3MatDc1UD0Xth/qYd X5+sDjjwS+1R4mUFAIFfymz5ymyV3NBRsyBjo0q2G7i+XB7eXO5xjiUSwr/4ZxVEuOOI8ETlnXEU 0Yt3Axj33vzYHd2DD2fUXWLuunDeuDhU+R6axkx35tRZIWDq2zwzEe2/9Wzyjm+F7H8caDGwTrgB Qus= =5qWN -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)