Security update for ruby2.5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02814-1 Final 1 1 2025-08-15T12:53:23Z current 2025-08-15T12:53:23Z 2025-08-15T12:53:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby2.5 This update for ruby2.5 fixes the following issues: - CVE-2024-35221: Fixed remote denial of service via YAML manifest (bsc#1225905) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2814,SUSE-SLE-Module-Basesystem-15-SP6-2025-2814,openSUSE-SLE-15.6-2025-2814 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502814-1/ Link for SUSE-SU-2025:02814-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041225.html E-Mail link for SUSE-SU-2025:02814-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1225905 SUSE Bug 1225905 https://www.suse.com/security/cve/CVE-2024-35221/ SUSE CVE CVE-2024-35221 page SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.6 libruby2_5-2_5-2.5.9-150000.4.49.1 ruby2.5-2.5.9-150000.4.49.1 ruby2.5-devel-2.5.9-150000.4.49.1 ruby2.5-devel-extra-2.5.9-150000.4.49.1 ruby2.5-doc-2.5.9-150000.4.49.1 ruby2.5-doc-ri-2.5.9-150000.4.49.1 ruby2.5-stdlib-2.5.9-150000.4.49.1 libruby2_5-2_5-2.5.9-150000.4.49.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-2.5.9-150000.4.49.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-devel-2.5.9-150000.4.49.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-devel-extra-2.5.9-150000.4.49.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 ruby2.5-stdlib-2.5.9-150000.4.49.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libruby2_5-2_5-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-devel-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-devel-extra-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-doc-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-doc-ri-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 ruby2.5-stdlib-2.5.9-150000.4.49.1 as a component of openSUSE Leap 15.6 Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. CVE-2024-35221 SUSE Linux Enterprise Module for Basesystem 15 SP6:libruby2_5-2_5-2.5.9-150000.4.49.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-2.5.9-150000.4.49.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-2.5.9-150000.4.49.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-devel-extra-2.5.9-150000.4.49.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:ruby2.5-stdlib-2.5.9-150000.4.49.1 openSUSE Leap 15.6:libruby2_5-2_5-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-devel-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-devel-extra-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-doc-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-doc-ri-2.5.9-150000.4.49.1 openSUSE Leap 15.6:ruby2.5-stdlib-2.5.9-150000.4.49.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502814-1/ https://www.suse.com/security/cve/CVE-2024-35221.html CVE-2024-35221 https://bugzilla.suse.com/1225905 SUSE Bug 1225905