]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit
projects / thirdparty / openembedded / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8f54548) | patch
ruby: fix CVE-2025-27221
authorDivya Chellam <divya.chellam@windriver.com>
Fri, 23 May 2025 13:25:42 +0000 (18:55 +0530)
committerSteve Sakoman <steve@sakoman.com>
Fri, 23 May 2025 15:57:46 +0000 (08:57 -0700)
commit421d7011269f4750f5942b815d68f77fa4559d69
tree4d2a908d13cb8cadbc0ea2a9414583bfb0786793tree | snapshot
parent8f54548f784ef60eaf7fb6b3f539d48b0f7192a3commit | diff
ruby: fix CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby_3.3.5.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core