Debian 11: DLA-4082-1 critical: ruby2.7 DoS and ReDoS issues
debian lts
March 10, 2025
Ruby a popular language was affected by multiple vulnerabilities CVE-2025-27219
Topics Covered
Summary
CVE-2025-27219
In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies
CVE-2025-27220
In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.
CVE-2025-27221
In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.
For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u5.
We recommend that you upgrade your ruby2.7 packages.
For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/ruby2.7
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: ruby2.7
Version: 2.7.4-1+deb11u5
CVE ID: CVE-2025-27219 CVE-2025-27220 CVE-2025-27221
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!