Security update for ruby2.5

Announcement ID:	SUSE-SU-2025:4264-1
Release Date:	2025-11-26T15:52:48Z
Rating:	important
References:	bsc#1225905 bsc#1230930 bsc#1232440 bsc#1235773 bsc#1237804 bsc#1237805 bsc#1237806 bsc#1245254 bsc#1246430
Cross-References:	CVE-2024-35221 CVE-2024-47220 CVE-2024-49761 CVE-2025-24294 CVE-2025-27219 CVE-2025-27220 CVE-2025-27221 CVE-2025-6442
CVSS scores:	CVE-2024-35221 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2024-47220 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-47220 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2024-47220 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-49761 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-49761 ( NVD ): 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-49761 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-24294 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-24294 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-24294 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-27219 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-27219 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-27219 ( NVD ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2025-27219 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-27220 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-27220 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-27220 ( NVD ): 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2025-27220 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-27221 ( SUSE ): 5.9 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-27221 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-27221 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVE-2025-27221 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-6442 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2025-6442 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-6442 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Affected Products:	Basesystem Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves eight vulnerabilities and has one security fix can now be installed.

Description:

This update for ruby2.5 fixes the following issues:

• CVE-2024-35221: Fixed remote DoS via YAML manifest (bsc#1225905)
• CVE-2024-47220: Fixed HTTP request smuggling in WEBrick (bsc#1230930)
• CVE-2024-49761: Fixed ReDOS vulnerability by updating REXML to 3.3.9 (bsc#1232440)
• CVE-2025-24294: Fixed denial of service (DoS) caused by an insufficient check on the length of a decompressed domain name within a DNS packet in resolv gem (bsc#1246430)
• CVE-2025-27219: Fixed denial of service in CGI::Cookie.parse (bsc#1237804)
• CVE-2025-27220: Fixed ReDoS in CGI::Util#escapeElement (bsc#1237806)
• CVE-2025-27221: Fixed userinfo leakage in URI#join, URI#merge and URI#+ (bsc#1237805)
• CVE-2025-6442: Fixed ruby WEBrick read_header HTTP request smuggling vulnerability (bsc#1245254)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-4264=1

Package List:

• Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • ruby2.5-stdlib-2.5.9-150700.24.3.1
  • ruby2.5-devel-2.5.9-150700.24.3.1
  • ruby2.5-debuginfo-2.5.9-150700.24.3.1
  • ruby2.5-debugsource-2.5.9-150700.24.3.1
  • libruby2_5-2_5-debuginfo-2.5.9-150700.24.3.1
  • ruby2.5-2.5.9-150700.24.3.1
  • libruby2_5-2_5-2.5.9-150700.24.3.1
  • ruby2.5-stdlib-debuginfo-2.5.9-150700.24.3.1
  • ruby2.5-devel-extra-2.5.9-150700.24.3.1

References:

• https://www.suse.com/security/cve/CVE-2024-35221.html
• https://www.suse.com/security/cve/CVE-2024-47220.html
• https://www.suse.com/security/cve/CVE-2024-49761.html
• https://www.suse.com/security/cve/CVE-2025-24294.html
• https://www.suse.com/security/cve/CVE-2025-27219.html
• https://www.suse.com/security/cve/CVE-2025-27220.html
• https://www.suse.com/security/cve/CVE-2025-27221.html
• https://www.suse.com/security/cve/CVE-2025-6442.html
• https://bugzilla.suse.com/show_bug.cgi?id=1225905
• https://bugzilla.suse.com/show_bug.cgi?id=1230930
• https://bugzilla.suse.com/show_bug.cgi?id=1232440
• https://bugzilla.suse.com/show_bug.cgi?id=1235773
• https://bugzilla.suse.com/show_bug.cgi?id=1237804
• https://bugzilla.suse.com/show_bug.cgi?id=1237805
• https://bugzilla.suse.com/show_bug.cgi?id=1237806
• https://bugzilla.suse.com/show_bug.cgi?id=1245254
• https://bugzilla.suse.com/show_bug.cgi?id=1246430