[CLSA-2026:1781274490] Fix CVE(s): CVE-2025-27219, CVE-2025-27220, CVE-2025-61594

Type:

security

Severity:

Important

Release date:

2026-06-12 14:28:42 UTC

Description:

   * SECURITY UPDATE: cgi and uri vulnerabilities in the bundled gems
     - debian/patches/CVE-2025-27219.patch: CGI::Cookie.parse merged repeated
       cookie names with an allocating array `+`, giving O(n^2) work and a DoS
       on crafted Cookie headers; merge in place with concat instead.
     - debian/patches/CVE-2025-27220.patch: CGI::Util#escapeElement and
       #unescapeElement used a lazy-backtracking regex vulnerable to ReDoS;
       replace with possessive/atomic forms that also handle unclosed tags.
     - debian/patches/CVE-2025-61594.patch: URI::Generic#merge / + leaked the
       base URI's password when only the host changed (bypass of
       CVE-2025-27221); clear userinfo atomically via authority accessors.
     - CVE-2025-27219
     - CVE-2025-27220
     - CVE-2025-61594

CVEs fixed:

Updated packages:

alt-ruby30_3.0.7-174_amd64.deb
sha:c0bad7585e8e60729fa71bb402993925f013a34f
alt-ruby30-default-gems_3.0.7-174_amd64.deb
sha:b987b928824e4d2bad98df7bd919d3fb551cc35e
alt-ruby30-devel_3.0.7-174_amd64.deb
sha:98934117b7b9c16a25a8585d700e3f58f5d2d603
alt-ruby30-doc_3.0.7-174_amd64.deb
sha:d588ea3576664bfcf7777da5bd9edd0894745aa8
alt-ruby30-libs_3.0.7-174_amd64.deb
sha:e40ccb2df021eb9ad74eb188219726d6c44dd060
alt-ruby30-rubygem-bigdecimal_3.0.0-174_amd64.deb
sha:5c477e699dc531a6a6689744e4f5057fb1ad95c3
alt-ruby30-rubygem-bundler_2.2.33-174_amd64.deb
sha:fa99ede128deb067b85c1b3f38e06bacfed21e99
alt-ruby30-rubygem-io-console_0.5.7-174_amd64.deb
sha:c95daf16473a9b96e70356c6461c6ade91579055
alt-ruby30-rubygem-irb_1.3.5-174_amd64.deb
sha:cf9dd16bc3708240ebf8e2ecbb8e349be2466f9c
alt-ruby30-rubygem-json_2.5.1-174_amd64.deb
sha:50e27f1f0c4c28dfb32128994b1be72c11ef10c4
alt-ruby30-rubygem-minitest_5.14.2-174_amd64.deb
sha:2bc5a60a9aa0ef3b35fd3c652d8a681a2d648024
alt-ruby30-rubygem-power-assert_1.2.1-174_amd64.deb
sha:93de03f6acafde162067a7572125ee9030b361bb
alt-ruby30-rubygem-psych_3.3.2-174_amd64.deb
sha:ade52ecc6336af66c56962ad29d5fe2c8c2c6d16
alt-ruby30-rubygem-rake_13.0.3-174_amd64.deb
sha:ad2ad6ac804de3c1c45d7e96534f89594b6e2848
alt-ruby30-rubygem-rbs_1.4.0-174_amd64.deb
sha:c99af8e135acc4dc428303f411819a1b346fd650
alt-ruby30-rubygem-rdoc_6.3.4.1-174_amd64.deb
sha:1ad515ca25b5ec684123bdb0a1c8558dd8bdab61
alt-ruby30-rubygem-rexml_3.2.5-174_amd64.deb
sha:4d39165db52c942457444195bd3c2dac2a75cd2c
alt-ruby30-rubygem-rss_0.2.9-174_amd64.deb
sha:c529580f34040574a391e96e83193f08f20c3050
alt-ruby30-rubygem-test-unit_3.3.7-174_amd64.deb
sha:0f7a3df1f393f03a3964f559d3df76af8cd3a49a
alt-ruby30-rubygem-typeprof_0.15.2-174_amd64.deb
sha:ee93e7f653763d1ec9411182d537d06315fbcfb6
alt-ruby30-rubygems_3.2.33-174_amd64.deb
sha:82c3692e16cdfe76d8258cc3726a18770fa9398a
alt-ruby30-rubygems-devel_3.2.33-174_amd64.deb
sha:5538befe824db71e7485bb2a868d89e5eddc8d65

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.