==========================================================================
Ubuntu Security Notice USN-7418-1
April 07, 2025

ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby3.3: Object-oriented scripting language
- ruby3.2: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language
- ruby2.7: Object-oriented scripting language

Details:

It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)

It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)

It was discovered that the Ruby CGI gem incorrectly handled parsing certain
cookies. A remote attacker could possibly use this issue to consume
resources, leading to a denial of service. (CVE-2025-27219)

It was discovered that the Ruby CGI gem incorrectly handled parsing certain
regular expressions. A remote attacker could possibly use this issue to
consume resources, leading to a denial of service. (CVE-2025-27220)

It was discovered that the Ruby URI gem incorrectly handled certain URI
handling methods. A remote attacker could possibly use this issue to leak
authentication credentials. (CVE-2025-27221)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  libruby3.3                      3.3.4-2ubuntu5.2
  ruby3.3                         3.3.4-2ubuntu5.2

Ubuntu 24.04 LTS
  libruby3.2                      3.2.3-1ubuntu0.24.04.5
  ruby3.2                         3.2.3-1ubuntu0.24.04.5

Ubuntu 22.04 LTS
  libruby3.0                      3.0.2-7ubuntu2.10
  ruby3.0                         3.0.2-7ubuntu2.10

Ubuntu 20.04 LTS
  libruby2.7                      2.7.0-5ubuntu1.18
  ruby2.7                         2.7.0-5ubuntu1.18

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7418-1
  CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398,
  CVE-2025-25186, CVE-2025-27219, CVE-2025-27220, CVE-2025-27221

Package Information:
  https://launchpad.net/ubuntu/+source/ruby3.3/3.3.4-2ubuntu5.2
  https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.5
  https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.10
  https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.18