SB2025041755 - Ubuntu update for ruby2.3

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-27219)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in CGI::Cookie.parse. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.

2) Inefficient regular expression complexity (CVE-ID: CVE-2025-27220)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in CGI::Util#escapeElement. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

3) Information disclosure (CVE-ID: CVE-2025-27221)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to URI#join, URI#merge, and URI#+ methods retain sensitive information, such as user:password, even after the host is replaced. A remote attacker can gain access to sensitive information.

4) Inefficient regular expression complexity (CVE-ID: CVE-2024-49761)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7442-1