Security update for ruby2.5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02739-1 Final 1 1 2025-08-08T09:11:19Z current 2025-08-08T09:11:19Z 2025-08-08T09:11:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby2.5 This update for ruby2.5 fixes the following issues: - CVE-2025-6442: Fixed read_header HTTP Request Smuggling Vulnerability in WEBrick (bsc#1245254) - CVE-2025-27221: Fixed userinfo leakage in URI#join, URI#merge and URI#+ (bsc#1237805) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2739,SUSE-SLE-Module-Basesystem-15-SP6-2025-2739,openSUSE-SLE-15.6-2025-2739 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502739-1/ Link for SUSE-SU-2025:02739-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041148.html E-Mail link for SUSE-SU-2025:02739-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237805 SUSE Bug 1237805 https://bugzilla.suse.com/1245254 SUSE Bug 1245254 https://www.suse.com/security/cve/CVE-2025-27221/ SUSE CVE CVE-2025-27221 page https://www.suse.com/security/cve/CVE-2025-6442/ SUSE CVE CVE-2025-6442 page SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.6 libruby2_5-2_5-2.5.9-150000.4.46.1 ruby2.5-2.5.9-150000.4.46.1 ruby2.5-devel-2.5.9-150000.4.46.1 ruby2.5-devel-extra-2.5.9-150000.4.46.1 ruby2.5-doc-2.5.9-150000.4.46.1 ruby2.5-doc-ri-2.5.9-150000.4.46.1 ruby2.5-stdlib-2.5.9-150000.4.46.1 libruby2_5-2_5-2.5.9-150000.4.46.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-2.5.9-150000.4.46.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-devel-2.5.9-150000.4.46.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-devel-extra-2.5.9-150000.4.46.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-stdlib-2.5.9-150000.4.46.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libruby2_5-2_5-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-devel-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-devel-extra-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-doc-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-doc-ri-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 ruby2.5-stdlib-2.5.9-150000.4.46.1 as a component of openSUSE Leap 15.6 In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. CVE-2025-27221 SUSE Linux Enterprise Module for Basesystem 15 SP6:libruby2_5-2_5-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-extra-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-stdlib-2.5.9-150000.4.46.1 openSUSE Leap 15.6:libruby2_5-2_5-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-devel-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-devel-extra-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-doc-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-doc-ri-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-stdlib-2.5.9-150000.4.46.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502739-1/ https://www.suse.com/security/cve/CVE-2025-27221.html CVE-2025-27221 https://bugzilla.suse.com/1237805 SUSE Bug 1237805 Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876. CVE-2025-6442 SUSE Linux Enterprise Module for Basesystem 15 SP6:libruby2_5-2_5-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-extra-2.5.9-150000.4.46.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-stdlib-2.5.9-150000.4.46.1 openSUSE Leap 15.6:libruby2_5-2_5-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-devel-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-devel-extra-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-doc-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-doc-ri-2.5.9-150000.4.46.1 openSUSE Leap 15.6:ruby2.5-stdlib-2.5.9-150000.4.46.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502739-1/ https://www.suse.com/security/cve/CVE-2025-6442.html CVE-2025-6442 https://bugzilla.suse.com/1245252 SUSE Bug 1245252