SB2025030761 - openEuler 20.03 LTS SP4 update for ruby

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-27219)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in CGI::Cookie.parse. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.

2) Inefficient regular expression complexity (CVE-ID: CVE-2025-27220)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in CGI::Util#escapeElement. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

3) Information disclosure (CVE-ID: CVE-2025-27221)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to URI#join, URI#merge, and URI#+ methods retain sensitive information, such as user:password, even after the host is replaced. A remote attacker can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1244