|
|
Log in / Subscribe / Register

Ubuntu alert USN-7840-1 (ruby2.3, ruby2.5, ruby2.7)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7840-1] Ruby vulnerabilities


Date:
              Mon, 27 Oct 2025 15:45:52 +0000


Message-ID:
              <E1vDPPs-0001lA-HP@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7840-1
October 27, 2025

ruby2.3, ruby2.5, ruby2.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language

Details:

It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)

It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. This update addresses the issue
in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39908, CVE-2024-41123)

It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with many entity expansions. An attacker
could possibly use this issue to cause REXML to consume excessive
resources, leading to a denial of service. Ubuntu 20.04 LTS was previously
addressed in USN-7091-2. This update addresses the issue in Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. (CVE-2024-41946)

It was discovered that the WEBrick module bundled into Ruby incorrectly
handled having both a Content-Length header and a Transfer-Encoding header.
A remote attacker could possibly use this issue to perform a HTTP request
smuggling attack. (CVE-2024-47220)

It was discovered that the WEBrick module bundled into Ruby incorrectly
parsed HTTP headers. In configurations where the WEBrick module is placed
behind an HTTP proxy, a remote attacker could possibly use this issue to
perform an HTTP Request Smuggling attack. (CVE-2025-6442)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  libruby2.7                      2.7.0-5ubuntu1.18+esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libruby2.5                      2.5.1-1ubuntu1.16+esm6
                                  Available with Ubuntu Pro
  ruby2.5                         2.5.1-1ubuntu1.16+esm6
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm11
                                  Available with Ubuntu Pro
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm11
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7840-1
  CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946,
  CVE-2024-47220, CVE-2025-6442




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmj/kzgACgkQcpJm3tlz
hgHcFQ//eqyraMmEpHxypflzwxQkAwZF8FXurFkr67EJOkudfP9Kq1w4Q3pyeITu
JhomY1gF8pmMQirlRO5YEhEH9IMOA6rjoAKjBmZzwodV405Am8PRqElPDDCxtQJw
quv+rIOQd6OTQfaYNHY8v9XVtPgYO3VOutWf7f8aGHfT1VhBgWptemUNvDCQfVq1
MKzLSAjryRRFGXebUkfXj1hVF+G/B6d2qc8g66G9rQnJ3OCE9Gf8SiZP4I/jiIN4
jeBg8fr3SG6nynP/soNL5sZR/crinv/yniXhcl6tDnnbR0qZ4Bz6fiF0kyYqE1ij
9ckU3XlPCkoiz2hBMWwcXHDOc8yhm+kYscZXj3lFhnY7jKlv8FTOY1AGp9ArAzap
+PwTsvLM6RFUf9eBXNftxjcg+2gcSqbpDAbqppYs49sGYsNZbwGILn0nriWZsEu6
OvcbxzDtw8MGgewaphzZ1ncmRI/c0jjUjWEwwTbnxkDsWlOZsYcGzSVob2jwV2i6
BpX0iTU5oJElASydZS76uKPeRiLYFQijKTc/OQBTpJltscCyuGNb7FsgAo9OGU7D
uxlSnj/JOjaso1C/oXC0WauNTMi/giVwbSatpfL8aLA/sdTQk1CiRt4wrObqHNVq
dr6XkCjB8+U/8wTFcEj7yNky1EkRX0Yo4pRYHy3rjjsdViXVs1c=
=bVWB
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds