SB2025122331 - Red Hat Enterprise Linux 10 update for ruby

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2025-24294)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling DNS packets. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2025-58767)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing invalid XML containing multiple XML declarations. A local attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Link following (CVE-ID: CVE-2025-26625)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an insecure link following issue. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. A remote attacker can write arbitrary files using crafted links, leading to remote code execution. 

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2025:23927