UbuntuUpdates.org

Package "ruby2.7"

Name: ruby2.7

Description:

Interpreter of object-oriented scripting language Ruby
Latest version: 2.7.0-5ubuntu1.18
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://www.ruby-lang.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby2.7"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "ruby2.7" in Focal

Repository Area Version
base main 2.7.0-5ubuntu1
security main 2.7.0-5ubuntu1.18

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.7.0-5ubuntu1.18 2025-04-07 17:07:01 UTC

  ruby2.7 (2.7.0-5ubuntu1.18) focal-security; urgency=medium

  * SECURITY UPDATE: DoS in CGI Gem
    - debian/patches/CVE-2025-27219.patch: use String#concat instead of
      String#+ for reducing cpu usage in lib/cgi/cookie.rb.
    - CVE-2025-27219
  * SECURITY UPDATE: ReDoS in CGI Gem
    - debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as
      well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb.
    - CVE-2025-27220
  * SECURITY UPDATE: credential leak in URI gem
    - debian/patches/CVE-2025-27221-1.patch: truncate userinfo in
      lib/uri/generic.rb, test/uri/test_generic.rb.
    - debian/patches/CVE-2025-27221-2.patch: fix merger of URI with
      authority component in lib/uri/generic.rb, test/uri/test_generic.rb.
    - CVE-2025-27221

 -- Marc Deslauriers <email address hidden> Tue, 04 Mar 2025 14:52:55 -0500
Source diff to previous version
CVE-2025-27219 In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The
CVE-2025-27220 In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
CVE-2025-27221 In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials

Version: 2.7.0-5ubuntu1.17 2025-02-13 11:06:51 UTC

  ruby2.7 (2.7.0-5ubuntu1.17) focal-security; urgency=medium

  * SECURITY REGRESSION: fix xml namespace issue (LP: #2097527)
    - d/p/fix-lp2097527.patch: Fix handling with "xml:" prefixed namespace

 -- Nishit Majithia <email address hidden> Mon, 10 Feb 2025 09:36:18 +0530
Source diff to previous version
2097527 ruby2.7 2.7.0-5ubuntu1.16 regression: REXML parse error with \

Version: 2.7.0-5ubuntu1.16 2025-02-06 07:06:54 UTC

  ruby2.7 (2.7.0-5ubuntu1.16) focal-security; urgency=medium

  * SECURITY UPDATE: denial or service in REXML
    - debian/patches/CVE-2024-43398*: improve namespace conflicted
      attribute check performance
    - CVE-2024-43398
  * Update CVE-2024-39908 patches as d/p/CVE-2024-39908-*.patch
  * Refactor patches for CVE-2024-35176 and CVE-2024-41123

 -- Nishit Majithia <email address hidden> Tue, 04 Feb 2025 10:33:59 +0530
Source diff to previous version
CVE-2024-43398 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same
CVE-2024-39908 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters suc
CVE-2024-35176 REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an att
CVE-2024-41123 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters suc

Version: 2.7.0-5ubuntu1.15 2024-11-21 07:06:45 UTC

  ruby2.7 (2.7.0-5ubuntu1.15) focal-security; urgency=medium

  * SECURITY UPDATE: denial or service in REXML
    - debian/patches/CVE-2024-35176_39908_41123-*.patch: Read quoted
      attributes in chunks
    - debian/patches/CVE-2024-41946.patch: Add support for XML entity
      expansion limitation in SAX and pull parsers
    - debian/patches/CVE-2024-49761.patch: fix a bug that &#0x...; is
      accepted as a character reference
    - CVE-2024-35176
    - CVE-2024-39908
    - CVE-2024-41123
    - CVE-2024-41946
    - CVE-2024-49761
  * d/control and d/rules: use gcc-10 for build on riscv64 arch

 -- Nishit Majithia <email address hidden> Wed, 30 Oct 2024 17:55:52 +0530
Source diff to previous version
CVE-2024-35176 REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an att
CVE-2024-41946 REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull
CVE-2024-49761 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...
CVE-2024-39908 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters suc
CVE-2024-41123 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters suc

Version: 2.7.0-5ubuntu1.14 2024-06-26 17:07:15 UTC

  ruby2.7 (2.7.0-5ubuntu1.14) focal-security; urgency=medium

  * SECURITY UPDATE: buffer over-read in StringIO
    - debian/patches/CVE-2024-27280.patch: fix expanding size at
      ungetc/ungetbyte in ext/stringio/stringio.c,
      test/stringio/test_stringio.rb.
    - CVE-2024-27280

 -- Marc Deslauriers <email address hidden> Wed, 19 Jun 2024 10:33:00 -0400
CVE-2024-27280 A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and unget


About   -   Send Feedback to @ubuntu_updates