[CLSA-2026:1781102585] Fix CVE(s): CVE-2025-58767, CVE-2026-27820
Type:
security
Severity:
Critical
Release date:
2026-06-10 14:43:33 UTC
Description:
* SECURITY UPDATE: rexml denial of service via multiple XML declarations - debian/patches/CVE-2025-58767.patch: validate XML declarations in bundled rexml-3.3.9 (require version, restrict to version/encoding/ standalone attributes, reject duplicates) and add Source#skip_spaces fast path; backport of upstream rexml commit 5859bdea (PR #282). - CVE-2025-58767 * SECURITY UPDATE: heap buffer overflow in Zlib::GzipReader#ungetc - debian/patches/CVE-2026-27820.patch: make the gzip output buffer expansion unconditional in zstream_buffer_ungets() so a large ungetc payload cannot memmove/write past the allocation (ext/zlib/zlib.c), plus regression test test_ungetc_buffer_underflow (test/zlib/test_zlib.rb). - CVE-2026-27820
CVEs fixed:
Updated packages:
  • alt-ruby31_3.1.7-10_amd64.deb
    sha:0064ee6b276f646ca0f48f98fe2d4eee14eec2fa
  • alt-ruby31-bundled-gems_3.1.7-10_amd64.deb
    sha:dd281f1c92ca87b8eb85992763bf34f173267092
  • alt-ruby31-default-gems_3.1.7-10_amd64.deb
    sha:6e41cece3cce4a1ed029c9e880a09a311a96840f
  • alt-ruby31-devel_3.1.7-10_amd64.deb
    sha:f909eb1f7d2d0a684aff101f952e83392349783f
  • alt-ruby31-doc_3.1.7-10_amd64.deb
    sha:46f356493ef73727c8418f44947c8fa681f1665b
  • alt-ruby31-libs_3.1.7-10_amd64.deb
    sha:b4609486ba493abc0927a383d27edf617cb787f0
  • alt-ruby31-rubygem-bigdecimal_3.1.1-10_amd64.deb
    sha:a56447a8cff092fc39d90f31db86cc9f8dbc3beb
  • alt-ruby31-rubygem-bundler_2.3.27-10_amd64.deb
    sha:58cad3ad0fedb6898950172dcde0713366f86bc1
  • alt-ruby31-rubygem-io-console_0.5.11-10_amd64.deb
    sha:df9e02ae933a8b3856e2c757b2b492161e55ddfd
  • alt-ruby31-rubygem-irb_1.4.1-10_amd64.deb
    sha:e49f4eadb402db88d4ab7fbf012d18538d3042c1
  • alt-ruby31-rubygem-json_2.6.1-10_amd64.deb
    sha:078110f00eb633fa12296b4abfaf924fab642233
  • alt-ruby31-rubygem-minitest_5.15.0-10_amd64.deb
    sha:49182a90e042c3d7e06c664b7930e382845a6d31
  • alt-ruby31-rubygem-power-assert_2.0.1-10_amd64.deb
    sha:2047301c6a8a974ca19260ee46ac053bad3b1e43
  • alt-ruby31-rubygem-psych_4.0.4-10_amd64.deb
    sha:9ed6c61033a00d25ac8766e053f015fc29026857
  • alt-ruby31-rubygem-rake_13.0.6-10_amd64.deb
    sha:bf39836d16a933300563daf9ad2ae7a3f6abd249
  • alt-ruby31-rubygem-rbs_2.7.0-10_amd64.deb
    sha:342dc39eb6735f019023788c36939ad8a6317f23
  • alt-ruby31-rubygem-rdoc_6.4.1.1-10_amd64.deb
    sha:1cd5a79908391179997c4f27f0a042cc8bdf18c3
  • alt-ruby31-rubygem-rexml_3.3.9-10_amd64.deb
    sha:3334c05ff4b685c5ed8ceac0fdd8590f72c1fc99
  • alt-ruby31-rubygem-rss_0.3.1-10_amd64.deb
    sha:3d09190657404e592efec39774d3cb937b7ee071
  • alt-ruby31-rubygem-test-unit_3.5.3-10_amd64.deb
    sha:ba904d34d13d776969f84e276cd15f86e83eb5cc
  • alt-ruby31-rubygem-typeprof_0.21.3-10_amd64.deb
    sha:d2deca8ca64ddcfec99993182da7bb655230a5c4
  • alt-ruby31-rubygems_3.3.27-10_amd64.deb
    sha:3acdccf0845f89f1e77b84c938db1df241ead95a
  • alt-ruby31-rubygems-devel_3.3.27-10_amd64.deb
    sha:6a02bbbe2424e26af826e9ae1da13de5d3dde1c4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.