Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Ubuntu: 7418-1 critical: Ruby denial of service vulnerabilities

ubuntu
Calendar Grey April 7, 2025
Dist Ubuntu Esm H88
A detailed alert for Ubuntu distributions highlights various Ruby-related vulnerabilities, underlining the risk of denial of service and the specifics of available fixes
Several security issues were fixed in Ruby.

Summary

Several security issues were fixed in Ruby.

Software Description:

- ruby3.3: Object-oriented scripting language

- ruby3.2: Object-oriented scripting language

- ruby3.0: Object-oriented scripting language

- ruby2.7: Object-oriented scripting language

Details:

It was discovered that Ruby incorrectly handled parsing of an XML document

that has specific XML characters in an attribute value using REXML gem. An

attacker could use this issue to cause Ruby to crash, resulting in a

denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu

24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,

CVE-2024-41123, CVE-2024-43398)

It was discovered that Ruby incorrectly handled expanding ranges in the

net-imap response parser. If a user or automated system were tricked into

connecting to a malicious IMAP server, a remote attacker could possibly use

this issue to consume memory, leading to a denial of service. This issue

only affected Ubuntu 24.04 LTS,...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libruby3.3                      3.3.4-2ubuntu5.2
   ruby3.3                         3.3.4-2ubuntu5.2

Ubuntu 24.04 LTS
   libruby3.2                      3.2.3-1ubuntu0.24.04.5
   ruby3.2                         3.2.3-1ubuntu0.24.04.5

Ubuntu 22.04 LTS
   libruby3.0                      3.0.2-7ubuntu2.10
   ruby3.0                         3.0.2-7ubuntu2.10

Ubuntu 20.04 LTS
   libruby2.7                      2.7.0-5ubuntu1.18
   ruby2.7                         2.7.0-5ubuntu1.18

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7418-1

CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398,

CVE-2025-25186, CVE-2025-27219, CVE-2025-27220, CVE-2025-27221

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-7418-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here