[CLSA-2026:1781275292] Fix CVE(s): CVE-2025-27219, CVE-2025-27220, CVE-2025-61594

Type:

security

Severity:

Important

Release date:

2026-06-12 14:42:09 UTC

Description:

   * SECURITY UPDATE: cgi and uri vulnerabilities in the bundled gems
     - debian/patches/CVE-2025-27219.patch: CGI::Cookie.parse merged repeated
       cookie names with an allocating array `+`, giving O(n^2) work and a DoS
       on crafted Cookie headers; merge in place with concat instead.
     - debian/patches/CVE-2025-27220.patch: CGI::Util#escapeElement and
       #unescapeElement used a lazy-backtracking regex vulnerable to ReDoS;
       replace with possessive/atomic forms that also handle unclosed tags.
     - debian/patches/CVE-2025-61594.patch: URI::Generic#merge / + leaked the
       base URI's password when only the host changed (bypass of
       CVE-2025-27221); clear userinfo atomically via authority accessors.
     - CVE-2025-27219
     - CVE-2025-27220
     - CVE-2025-61594

CVEs fixed:

Updated packages:

alt-ruby30_3.0.7-174_amd64.deb
sha:5d640223787bdb8f9ab0a901c30719fdeec24cbf
alt-ruby30-default-gems_3.0.7-174_amd64.deb
sha:d185724e4f8affc4f518aa83c5e1dbec41dfe461
alt-ruby30-devel_3.0.7-174_amd64.deb
sha:1a9aea1e9ac651083032010ab2a8826a5b6a8151
alt-ruby30-doc_3.0.7-174_amd64.deb
sha:654db4fdc6bb1ffeb98cd4f8e1c524a80431d99a
alt-ruby30-libs_3.0.7-174_amd64.deb
sha:08ef0192b6ba374f4c7c01174c24eeb6b1880cab
alt-ruby30-rubygem-bigdecimal_3.0.0-174_amd64.deb
sha:4417032c4f588df5241f7a5a616caa83df1629b9
alt-ruby30-rubygem-bundler_2.2.33-174_amd64.deb
sha:ac4da1f34c01d89cbd2c94a7a121f45673482bd1
alt-ruby30-rubygem-io-console_0.5.7-174_amd64.deb
sha:cfb08f0e1fa155ce8d66d6db32e2a2122e3d9273
alt-ruby30-rubygem-irb_1.3.5-174_amd64.deb
sha:9aa4e74ba191376e3ef6da12867b57cdea408a08
alt-ruby30-rubygem-json_2.5.1-174_amd64.deb
sha:493f70387ba5d6aa994083e2d23771d0ae2cc40e
alt-ruby30-rubygem-minitest_5.14.2-174_amd64.deb
sha:b3e1750ec5a60380423b51a1869772b7bfefad56
alt-ruby30-rubygem-power-assert_1.2.1-174_amd64.deb
sha:c861b851cdda791327442ac5600089e4c89b4e76
alt-ruby30-rubygem-psych_3.3.2-174_amd64.deb
sha:68eb5464b159ff90ac28a723588d4c272d2232d2
alt-ruby30-rubygem-rake_13.0.3-174_amd64.deb
sha:e61dbf0325df44cc72efeeb95598a1019c14b7c7
alt-ruby30-rubygem-rbs_1.4.0-174_amd64.deb
sha:25ead3c792251afc18d957fc325482222cef92b3
alt-ruby30-rubygem-rdoc_6.3.4.1-174_amd64.deb
sha:463bffadf1b64800ecff095243968b8887517dd9
alt-ruby30-rubygem-rexml_3.2.5-174_amd64.deb
sha:dbd1f8129793939603336cf3e877657fbc48642b
alt-ruby30-rubygem-rss_0.2.9-174_amd64.deb
sha:008cdceb8c4de0d9f331dcb4727fdd8b82cb7b0d
alt-ruby30-rubygem-test-unit_3.3.7-174_amd64.deb
sha:9c9cb455081d96b5aa938a116ed7b26895d57e8e
alt-ruby30-rubygem-typeprof_0.15.2-174_amd64.deb
sha:727c3a2a81cf747430cd6910396aafc791fa2697
alt-ruby30-rubygems_3.2.33-174_amd64.deb
sha:2211ee5363d9a071e42d76aaa70a8e4f5db5faa0
alt-ruby30-rubygems-devel_3.2.33-174_amd64.deb
sha:b3e1df042f645f29c8b55dbdb4ab178ca9088f5e

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.