SB2025062746 - Red Hat Enterprise Linux 10 update for ruby
Published: June 27, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Asymmetric Resource Consumption (Amplification) (CVE-ID: CVE-2025-25186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2025-27219)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in CGI::Cookie.parse. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
3) Information disclosure (CVE-ID: CVE-2025-27221)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to URI#join, URI#merge, and URI#+ methods retain sensitive information, such as user:password, even after the host is replaced. A remote attacker can gain access to sensitive information.
Remediation
Install update from vendor's website.