Описание
Security update for ruby2.5
This update for ruby2.5 fixes the following issues:
- CVE-2025-6442: Fixed read_header HTTP Request Smuggling Vulnerability in WEBrick (bsc#1245254)
- CVE-2025-27221: Fixed userinfo leakage in URI#join, URI#merge and URI#+ (bsc#1237805)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:02739-1
- E-Mail link for SUSE-SU-2025:02739-1
- SUSE Security Ratings
- SUSE Bug 1237805
- SUSE Bug 1245254
- SUSE CVE CVE-2025-27221 page
- SUSE CVE CVE-2025-6442 page
Описание
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Затронутые продукты
Ссылки
- CVE-2025-27221
- SUSE Bug 1237805
Описание
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.
Затронутые продукты
Ссылки
- CVE-2025-6442
- SUSE Bug 1245252