ALAS2023-2025-929

Amazon Linux 2023 Security Advisory: ALAS2023-2025-929
Advisory Released Date: 2025-04-14
Advisory Updated Date: 2025-04-14

Severity: Medium

References: CVE-2025-25186 CVE-2025-27219 CVE-2025-27220
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory. (CVE-2025-25186)

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. (CVE-2025-27219)

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. (CVE-2025-27220)

Affected Packages:

ruby3.2

Issue Correction:
Run dnf update ruby3.2 --releasever 2023.7.20250414 to update your system.

New Packages:

aarch64:
    ruby3.2-rubygem-io-console-0.6.0-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-io-console-debuginfo-0.6.0-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-bigdecimal-debuginfo-3.1.3-183.amzn2023.0.4.aarch64
    ruby3.2-bundled-gems-debuginfo-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-libs-debuginfo-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-rbs-debuginfo-2.8.2-183.amzn2023.0.4.aarch64
    ruby3.2-devel-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-debugsource-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-debuginfo-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-bundled-gems-3.2.7-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-json-2.6.3-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-psych-debuginfo-5.0.1-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-psych-5.0.1-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-json-debuginfo-2.6.3-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-bigdecimal-3.1.3-183.amzn2023.0.4.aarch64
    ruby3.2-rubygem-rbs-2.8.2-183.amzn2023.0.4.aarch64
    ruby3.2-libs-3.2.7-183.amzn2023.0.4.aarch64

noarch:
    ruby3.2-rubygem-minitest-5.25.1-183.amzn2023.0.4.noarch
    ruby3.2-default-gems-3.2.7-183.amzn2023.0.4.noarch
    ruby3.2-rubygems-devel-3.4.19-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-rexml-3.3.9-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-bundler-2.4.19-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-rake-13.0.6-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-rdoc-6.5.1.1-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-power_assert-2.0.3-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-rss-0.3.1-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-test-unit-3.5.7-183.amzn2023.0.4.noarch
    ruby3.2-rubygems-3.4.19-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-typeprof-0.21.3-183.amzn2023.0.4.noarch
    ruby3.2-rubygem-irb-1.6.2-183.amzn2023.0.4.noarch
    ruby3.2-doc-3.2.7-183.amzn2023.0.4.noarch

src:
    ruby3.2-3.2.7-183.amzn2023.0.4.src

x86_64:
    ruby3.2-rubygem-bigdecimal-debuginfo-3.1.3-183.amzn2023.0.4.x86_64
    ruby3.2-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-json-2.6.3-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-rbs-debuginfo-2.8.2-183.amzn2023.0.4.x86_64
    ruby3.2-debuginfo-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-bundled-gems-debuginfo-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-bundled-gems-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-json-debuginfo-2.6.3-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-io-console-0.6.0-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-psych-debuginfo-5.0.1-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-bigdecimal-3.1.3-183.amzn2023.0.4.x86_64
    ruby3.2-devel-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-psych-5.0.1-183.amzn2023.0.4.x86_64
    ruby3.2-libs-debuginfo-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-io-console-debuginfo-0.6.0-183.amzn2023.0.4.x86_64
    ruby3.2-rubygem-rbs-2.8.2-183.amzn2023.0.4.x86_64
    ruby3.2-debugsource-3.2.7-183.amzn2023.0.4.x86_64
    ruby3.2-libs-3.2.7-183.amzn2023.0.4.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-25186, CVE-2025-27219, CVE-2025-27220

Mitre: CVE-2025-25186, CVE-2025-27219, CVE-2025-27220