摘要:
ruby security update
安全等级: High
公告ID: KylinSec-SA-2025-1647
发布日期: 2025年3月7日
Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).
Security Fix(es):
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.(CVE-2025-27219)
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.(CVE-2025-27220)
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.(CVE-2025-27221)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-27219 | KY3.4-5A | ruby | Fixed |
| CVE-2025-27220 | KY3.4-5A | ruby | Fixed |
| CVE-2025-27221 | KY3.4-5A | ruby | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| ruby-help | noarch | 2.5.8-133.kb1.ky3_4 |
| ruby-irb | noarch | 2.5.8-133.kb1.ky3_4 |
| rubygem-did_you_mean | noarch | 1.2.0-133.kb1.ky3_4 |
| rubygem-minitest | noarch | 5.10.3-133.kb1.ky3_4 |
| rubygem-net-telnet | noarch | 0.1.1-133.kb1.ky3_4 |
| rubygem-power_assert | noarch | 1.1.1-133.kb1.ky3_4 |
| rubygem-rake | noarch | 12.3.0-133.kb1.ky3_4 |
| rubygem-rdoc | noarch | 6.0.1.1-133.kb1.ky3_4 |
| rubygem-test-unit | noarch | 3.2.7-133.kb1.ky3_4 |
| rubygem-xmlrpc | noarch | 0.3.0-133.kb1.ky3_4 |
| rubygems | noarch | 2.7.6-133.kb1.ky3_4 |
| rubygems-devel | noarch | 2.7.6-133.kb1.ky3_4 |
| ruby | x86_64 | 2.5.8-133.kb1.ky3_4 |
| ruby-devel | x86_64 | 2.5.8-133.kb1.ky3_4 |
| rubygem-bigdecimal | x86_64 | 1.3.4-133.kb1.ky3_4 |
| rubygem-io-console | x86_64 | 0.4.6-133.kb1.ky3_4 |
| rubygem-json | x86_64 | 2.1.0-133.kb1.ky3_4 |
| rubygem-openssl | x86_64 | 2.1.2-133.kb1.ky3_4 |
| rubygem-psych | x86_64 | 3.0.2-133.kb1.ky3_4 |
| ruby | aarch64 | 2.5.8-133.kb1.ky3_4 |
| ruby-devel | aarch64 | 2.5.8-133.kb1.ky3_4 |
| rubygem-bigdecimal | aarch64 | 1.3.4-133.kb1.ky3_4 |
| rubygem-io-console | aarch64 | 0.4.6-133.kb1.ky3_4 |
| rubygem-json | aarch64 | 2.1.0-133.kb1.ky3_4 |
| rubygem-openssl | aarch64 | 2.1.2-133.kb1.ky3_4 |
| rubygem-psych | aarch64 | 3.0.2-133.kb1.ky3_4 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
