Source: ruby3.3 Version: 3.3.8-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby3.3. CVE-2025-61594[0]: | URI is a module providing classes to handle Uniform Resource | Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a | bypass exists for the fix to CVE-2025-27221 that can expose user | credentials. When using the `+` operator to combine URIs, sensitive | information like passwords from the original URI can be leaked, | violating RFC3986 and making applications vulnerable to credential | exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61594 https://www.cve.org/CVERecord?id=CVE-2025-61594 [1] https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
