]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7a73197) | patch
ruby: fix CVE-2025-27221
authorDivya Chellam <divya.chellam@windriver.com>
Fri, 23 May 2025 13:23:53 +0000 (18:53 +0530)
committerSteve Sakoman <steve@sakoman.com>
Fri, 23 May 2025 15:27:24 +0000 (08:27 -0700)
commitc77ff1288719d90ef257dfe28cb33b3768fc124a
tree32fd2828353737b740b50e4f904e5db5ff2e6c73tree | snapshot
parent7a7319745637d4b681935ae71706dcc467df3040commit | diff
ruby: fix CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby_3.1.3.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core-contrib