Security update for ruby2.5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4264-1 Final 1 1 2025-11-26T15:52:44Z current 2025-11-26T15:52:44Z 2025-11-26T15:52:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby2.5 This update for ruby2.5 fixes the following issues: - CVE-2024-35221: Fixed remote DoS via YAML manifest (bsc#1225905) - CVE-2024-47220: Fixed HTTP request smuggling in WEBrick (bsc#1230930) - CVE-2024-49761: Fixed ReDOS vulnerability by updating REXML to 3.3.9 (bsc#1232440) - CVE-2025-24294: Fixed denial of service (DoS) caused by an insufficient check on the length of a decompressed domain name within a DNS packet in resolv gem (bsc#1246430) - CVE-2025-27219: Fixed denial of service in CGI::Cookie.parse (bsc#1237804) - CVE-2025-27220: Fixed ReDoS in CGI::Util#escapeElement (bsc#1237806) - CVE-2025-27221: Fixed userinfo leakage in URI#join, URI#merge and URI#+ (bsc#1237805) - CVE-2025-6442: Fixed ruby WEBrick read_header HTTP request smuggling vulnerability (bsc#1245254) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/ruby:2-2025-4264,SUSE-2025-4264,SUSE-SLE-Module-Basesystem-15-SP7-2025-4264 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ Link for SUSE-SU-2025:4264-1 https://lists.suse.com/pipermail/sle-security-updates/2025-November/023374.html E-Mail link for SUSE-SU-2025:4264-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1225905 SUSE Bug 1225905 https://bugzilla.suse.com/1230930 SUSE Bug 1230930 https://bugzilla.suse.com/1232440 SUSE Bug 1232440 https://bugzilla.suse.com/1235773 SUSE Bug 1235773 https://bugzilla.suse.com/1237804 SUSE Bug 1237804 https://bugzilla.suse.com/1237805 SUSE Bug 1237805 https://bugzilla.suse.com/1237806 SUSE Bug 1237806 https://bugzilla.suse.com/1245254 SUSE Bug 1245254 https://bugzilla.suse.com/1246430 SUSE Bug 1246430 https://www.suse.com/security/cve/CVE-2024-35221/ SUSE CVE CVE-2024-35221 page https://www.suse.com/security/cve/CVE-2024-47220/ SUSE CVE CVE-2024-47220 page https://www.suse.com/security/cve/CVE-2024-49761/ SUSE CVE CVE-2024-49761 page https://www.suse.com/security/cve/CVE-2025-24294/ SUSE CVE CVE-2025-24294 page https://www.suse.com/security/cve/CVE-2025-27219/ SUSE CVE CVE-2025-27219 page https://www.suse.com/security/cve/CVE-2025-27220/ SUSE CVE CVE-2025-27220 page https://www.suse.com/security/cve/CVE-2025-27221/ SUSE CVE CVE-2025-27221 page https://www.suse.com/security/cve/CVE-2025-6442/ SUSE CVE CVE-2025-6442 page Container bci/ruby:2 SUSE Linux Enterprise Module for Basesystem 15 SP7 libruby2_5-2_5-2.5.9-150700.24.3.1 ruby2.5-2.5.9-150700.24.3.1 ruby2.5-devel-2.5.9-150700.24.3.1 ruby2.5-stdlib-2.5.9-150700.24.3.1 ruby2.5-devel-extra-2.5.9-150700.24.3.1 ruby2.5-doc-2.5.9-150700.24.3.1 ruby2.5-doc-ri-2.5.9-150700.24.3.1 libruby2_5-2_5-2.5.9-150700.24.3.1 as a component of Container bci/ruby:2 ruby2.5-2.5.9-150700.24.3.1 as a component of Container bci/ruby:2 ruby2.5-devel-2.5.9-150700.24.3.1 as a component of Container bci/ruby:2 ruby2.5-stdlib-2.5.9-150700.24.3.1 as a component of Container bci/ruby:2 libruby2_5-2_5-2.5.9-150700.24.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 ruby2.5-2.5.9-150700.24.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 ruby2.5-devel-2.5.9-150700.24.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 ruby2.5-devel-extra-2.5.9-150700.24.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 ruby2.5-stdlib-2.5.9-150700.24.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. CVE-2024-35221 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2024-35221.html CVE-2024-35221 https://bugzilla.suse.com/1225905 SUSE Bug 1225905 An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." CVE-2024-47220 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2024-47220.html CVE-2024-47220 https://bugzilla.suse.com/1230930 SUSE Bug 1230930 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. CVE-2024-49761 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2024-49761.html CVE-2024-49761 https://bugzilla.suse.com/1232440 SUSE Bug 1232440 The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. CVE-2025-24294 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2025-24294.html CVE-2025-24294 https://bugzilla.suse.com/1246430 SUSE Bug 1246430 In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. CVE-2025-27219 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2025-27219.html CVE-2025-27219 https://bugzilla.suse.com/1237804 SUSE Bug 1237804 In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. CVE-2025-27220 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2025-27220.html CVE-2025-27220 https://bugzilla.suse.com/1237806 SUSE Bug 1237806 In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. CVE-2025-27221 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2025-27221.html CVE-2025-27221 https://bugzilla.suse.com/1237805 SUSE Bug 1237805 Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876. CVE-2025-6442 Container bci/ruby:2:libruby2_5-2_5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-devel-2.5.9-150700.24.3.1 Container bci/ruby:2:ruby2.5-stdlib-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libruby2_5-2_5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-devel-extra-2.5.9-150700.24.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-stdlib-2.5.9-150700.24.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254264-1/ https://www.suse.com/security/cve/CVE-2025-6442.html CVE-2025-6442 https://bugzilla.suse.com/1245252 SUSE Bug 1245252