[CLSA-2026:1781101718] Fix CVE(s): CVE-2025-58767, CVE-2026-27820
Type:
security
Severity:
Critical
Release date:
2026-06-10 14:29:02 UTC
Description:
* SECURITY UPDATE: rexml denial of service via multiple XML declarations - debian/patches/CVE-2025-58767.patch: validate XML declarations in bundled rexml-3.3.9 (require version, restrict to version/encoding/ standalone attributes, reject duplicates) and add Source#skip_spaces fast path; backport of upstream rexml commit 5859bdea (PR #282). - CVE-2025-58767 * SECURITY UPDATE: heap buffer overflow in Zlib::GzipReader#ungetc - debian/patches/CVE-2026-27820.patch: make the gzip output buffer expansion unconditional in zstream_buffer_ungets() so a large ungetc payload cannot memmove/write past the allocation (ext/zlib/zlib.c), plus regression test test_ungetc_buffer_underflow (test/zlib/test_zlib.rb). - CVE-2026-27820
CVEs fixed:
Updated packages:
  • alt-ruby31_3.1.7-10_amd64.deb
    sha:47e35306d304ec7cf65615797dd2a36271887401
  • alt-ruby31-bundled-gems_3.1.7-10_amd64.deb
    sha:aab52f53f7a5636093bf04fb81463fb2a4627521
  • alt-ruby31-default-gems_3.1.7-10_amd64.deb
    sha:ecb0b36dc0e14c9c17d1c730237ace1095d81d54
  • alt-ruby31-devel_3.1.7-10_amd64.deb
    sha:b08bf96cd9f4ce113c1284b4b55344337afc31af
  • alt-ruby31-doc_3.1.7-10_amd64.deb
    sha:ff6108a41ee4f09c976db5fcf6dd7e56c5a04862
  • alt-ruby31-libs_3.1.7-10_amd64.deb
    sha:366b75f3f7bf530918bf2283e6769aa903a03e5e
  • alt-ruby31-rubygem-bigdecimal_3.1.1-10_amd64.deb
    sha:deaa89a98154867a9cc6f5703b8f6cb1ce4980f1
  • alt-ruby31-rubygem-bundler_2.3.27-10_amd64.deb
    sha:d8662039b8a75b302f6f25cb760bf78b292d74ed
  • alt-ruby31-rubygem-io-console_0.5.11-10_amd64.deb
    sha:d30046f62b3e6a97986d6be7cacba17c2306a059
  • alt-ruby31-rubygem-irb_1.4.1-10_amd64.deb
    sha:a0321457e12c42d1bbb021817f0e6abd3497f3d1
  • alt-ruby31-rubygem-json_2.6.1-10_amd64.deb
    sha:bdaadd4a67725c76f24b16d759591f42c760e33e
  • alt-ruby31-rubygem-minitest_5.15.0-10_amd64.deb
    sha:cac8c752f131f14c2585ab3cbc3f494b988be5f8
  • alt-ruby31-rubygem-power-assert_2.0.1-10_amd64.deb
    sha:3457609eb1760d866d43a8bccd3591392fa7cd9e
  • alt-ruby31-rubygem-psych_4.0.4-10_amd64.deb
    sha:e80f0e06adb3b57e0bce980b70f70ab53f0e425a
  • alt-ruby31-rubygem-rake_13.0.6-10_amd64.deb
    sha:b1821d523d445e6716d14fe44d24a50b6df6d4f4
  • alt-ruby31-rubygem-rbs_2.7.0-10_amd64.deb
    sha:0125b832ae8aa132abbc1d6408fa8650c7270f75
  • alt-ruby31-rubygem-rdoc_6.4.1.1-10_amd64.deb
    sha:480a2a2aa8320c1fa6316286541bcab5137cda8c
  • alt-ruby31-rubygem-rexml_3.3.9-10_amd64.deb
    sha:8d1b733b148fbd514c1ce4e66c49c95c7ecb09a9
  • alt-ruby31-rubygem-rss_0.3.1-10_amd64.deb
    sha:c343d2f84a478a67783fa176de068204f19cd1e3
  • alt-ruby31-rubygem-test-unit_3.5.3-10_amd64.deb
    sha:a992c6b24d569674bd00db77de1b5b6a51e454d3
  • alt-ruby31-rubygem-typeprof_0.21.3-10_amd64.deb
    sha:8868475fa32fe8148c8c42e8306870b0292c7acd
  • alt-ruby31-rubygems_3.3.27-10_amd64.deb
    sha:7a4b1d4b8405a3af92f25a2554f10cabe1d54760
  • alt-ruby31-rubygems-devel_3.3.27-10_amd64.deb
    sha:792fd12a5e0847ad0d79f660cf7fe681da2c4035
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.