It was discovered that the REXML module bunded into Ruby incorrectly handled parsing XML documents with repeated instances of certain characters. An attacker could possibly use this issue to cause REXML to consume excessive resources, leading to a denial of service. Ubuntu 18.04 LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS. (CVE-2024-35176) It was discovered that the REXML module bunded into Ruby incorrectly handled parsing XML documents with repeated instances of certain characters. An attacker could possibly use this issue to cause REXML to consume excessive resources, leading to a denial of service. Ubuntu 20.04 LTS was previously addressed in USN-7256-1. This update addresses the issue in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39908, CVE-2024-41123) It was discovered that the REXML module bunded into Ruby incorrectly handled parsing XML documents with many entity expansions. An attacker could possibly use this issue to cause REXML to consume excessive resources, leading to a denial of service. Ubuntu 20.04 LTS was previously addressed in USN-7091-2. This update addresses the issue in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-41946) It was discovered that the WEBrick module bundled into Ruby incorrectly handled having both a Content-Length header and a Transfer-Encoding header. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack. (CVE-2024-47220) It was discovered that the WEBrick module bundled into Ruby incorrectly parsed HTTP headers. In configurations where the WEBrick module is placed behind an HTTP proxy, a remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. (CVE-2025-6442)
Continue reading...
Continue reading...
