[CLSA-2026:1781103006] Fix CVE(s): CVE-2025-58767, CVE-2026-27820
Type:
security
Severity:
Critical
Release date:
2026-06-10 14:50:33 UTC
Description:
* SECURITY UPDATE: rexml denial of service via multiple XML declarations - debian/patches/CVE-2025-58767.patch: validate XML declarations in bundled rexml-3.3.9 (require version, restrict to version/encoding/ standalone attributes, reject duplicates) and add Source#skip_spaces fast path; backport of upstream rexml commit 5859bdea (PR #282). - CVE-2025-58767 * SECURITY UPDATE: heap buffer overflow in Zlib::GzipReader#ungetc - debian/patches/CVE-2026-27820.patch: make the gzip output buffer expansion unconditional in zstream_buffer_ungets() so a large ungetc payload cannot memmove/write past the allocation (ext/zlib/zlib.c), plus regression test test_ungetc_buffer_underflow (test/zlib/test_zlib.rb). - CVE-2026-27820
CVEs fixed:
Updated packages:
  • alt-ruby31_3.1.7-10_amd64.deb
    sha:441162e1618c62fb82336cbcde5e9a1e18d15c67
  • alt-ruby31-bundled-gems_3.1.7-10_amd64.deb
    sha:6d281cd0c68c0d1064e955840dad8e0ab1b217c7
  • alt-ruby31-default-gems_3.1.7-10_amd64.deb
    sha:99d9f00e5bcf4dd1ce7ed89a1c08a1354473c966
  • alt-ruby31-devel_3.1.7-10_amd64.deb
    sha:11f4a758cd5f40bef86f59ac12bb9fe84a24e0d8
  • alt-ruby31-doc_3.1.7-10_amd64.deb
    sha:b6bcb5b9468b07d4c018826738d706ba098c27fc
  • alt-ruby31-libs_3.1.7-10_amd64.deb
    sha:e649dc12cd856db19ef97d36aabe3ce591cfebc1
  • alt-ruby31-rubygem-bigdecimal_3.1.1-10_amd64.deb
    sha:cd9e9fb2f942646b13023c26c9da1fff762353a3
  • alt-ruby31-rubygem-bundler_2.3.27-10_amd64.deb
    sha:23a9edd64b0f43ea232012c86a5021cae484eb82
  • alt-ruby31-rubygem-io-console_0.5.11-10_amd64.deb
    sha:f26a0ce15af21088722514f5a31a46063e71baa3
  • alt-ruby31-rubygem-irb_1.4.1-10_amd64.deb
    sha:d046a068468d3ccba29a3dbe762babeeb121aea7
  • alt-ruby31-rubygem-json_2.6.1-10_amd64.deb
    sha:ab66c764505885fcaa7fc2fea1605f19b6fca5ff
  • alt-ruby31-rubygem-minitest_5.15.0-10_amd64.deb
    sha:745e0bbcada0842fd90660db4d8fd3546f05f1e7
  • alt-ruby31-rubygem-power-assert_2.0.1-10_amd64.deb
    sha:27c841956bf307752cd1f7c03109ed33bd5bb752
  • alt-ruby31-rubygem-psych_4.0.4-10_amd64.deb
    sha:35dfe1f749689560cb8a30c9677fce863a56205d
  • alt-ruby31-rubygem-rake_13.0.6-10_amd64.deb
    sha:d141d15142ebd57de86394f20f08f8a496b2a334
  • alt-ruby31-rubygem-rbs_2.7.0-10_amd64.deb
    sha:aa6ac7e7b0f205e2602b930bfe46b88f5af46006
  • alt-ruby31-rubygem-rdoc_6.4.1.1-10_amd64.deb
    sha:23624f565a46ce76c14a196841cd6dcc2f24bf4a
  • alt-ruby31-rubygem-rexml_3.3.9-10_amd64.deb
    sha:ebe0d3b3c8035c64ccfca62ecd500fcdcdb152d7
  • alt-ruby31-rubygem-rss_0.3.1-10_amd64.deb
    sha:96d24c917f7f2101bcec95a5c7dfe03f725b7a22
  • alt-ruby31-rubygem-test-unit_3.5.3-10_amd64.deb
    sha:58f89a91d7187d8f4d93446cebdeeb64caa43b32
  • alt-ruby31-rubygem-typeprof_0.21.3-10_amd64.deb
    sha:42056244d503ca6a2b41ec3ea3ecc4927d642b92
  • alt-ruby31-rubygems_3.3.27-10_amd64.deb
    sha:bec9f8c328af97babb09c64423403e6ae90b2ee0
  • alt-ruby31-rubygems-devel_3.3.27-10_amd64.deb
    sha:6de046c26d2fffa09f49c497c42248ecde8ddef8
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.