Packages
Details
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. This update addresses the issue
in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39908,
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. This update addresses the issue
in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39908, CVE-2024-41123)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with many entity expansions. An attacker
could possibly use this issue to cause REXML to consume excessive
resources, leading to a denial of service. Ubuntu 20.04 LTS was previously
addressed in USN-7091-2. This update addresses the issue in Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. (CVE-2024-41946)
It was discovered that the WEBrick module bundled into Ruby incorrectly
handled having both a Content-Length header and a Transfer-Encoding header.
A remote attacker could possibly use this issue to perform a HTTP request
smuggling attack. (CVE-2024-47220)
It was discovered that the WEBrick module bundled into Ruby incorrectly
parsed HTTP headers. In configurations where the WEBrick module is placed
behind an HTTP proxy, a remote attacker could possibly use this issue to
perform an HTTP Request Smuggling attack. (CVE-2025-6442)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 20.04 LTS focal | libruby2.7 – 2.7.0-5ubuntu1.18+esm3 | ||
| 18.04 LTS bionic | libruby2.5 – 2.5.1-1ubuntu1.16+esm6 | ||
| ruby2.5 – 2.5.1-1ubuntu1.16+esm6 | |||
| 16.04 LTS xenial | libruby2.3 – 2.3.1-2~ubuntu16.04.16+esm11 | ||
| ruby2.3 – 2.3.1-2~ubuntu16.04.16+esm11 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.