SUSE-CU-2025:8644-1: Security update of bci/ruby

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:8644-1
Container Tags        : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-19.8
Container Release     : 19.8
Severity              : important
Type                  : security
References            : 1225905 1230930 1232440 1235773 1237804 1237805 1237806 1245254
                        1246430 1246697 1250232 CVE-2024-35221 CVE-2024-47220 CVE-2024-49761
                        CVE-2025-24294 CVE-2025-27219 CVE-2025-27220 CVE-2025-27221 CVE-2025-6442
                        CVE-2025-9230 
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2890-1
Released:    Tue Aug 19 09:54:32 2025
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1246697
This update for openssl-1_1 fixes the following issues:

- FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test
  instead of NID_secp256k1. [bsc#1246697]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3635-1
Released:    Fri Oct 17 16:33:06 2025
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1250232,CVE-2025-9230
This update for openssl-1_1 fixes the following issues:

- CVE-2025-9230: fixed out of bounds read and write in RFC 3211 KEK unwrap (bsc#1250232)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4264-1
Released:    Wed Nov 26 16:52:41 2025
Summary:     Security update for ruby2.5
Type:        security
Severity:    important
References:  1225905,1230930,1232440,1235773,1237804,1237805,1237806,1245254,1246430,CVE-2024-35221,CVE-2024-47220,CVE-2024-49761,CVE-2025-24294,CVE-2025-27219,CVE-2025-27220,CVE-2025-27221,CVE-2025-6442
This update for ruby2.5 fixes the following issues:

- CVE-2024-35221: Fixed remote DoS via YAML manifest (bsc#1225905)
- CVE-2024-47220: Fixed HTTP request smuggling in WEBrick (bsc#1230930)
- CVE-2024-49761: Fixed ReDOS vulnerability by updating REXML to 3.3.9 (bsc#1232440)
- CVE-2025-24294: Fixed denial of service (DoS) caused by an insufficient check on the length 
  of a decompressed domain name within a DNS packet in resolv gem (bsc#1246430)
- CVE-2025-27219: Fixed denial of service in CGI::Cookie.parse (bsc#1237804)
- CVE-2025-27220: Fixed ReDoS in CGI::Util#escapeElement (bsc#1237806)
- CVE-2025-27221: Fixed userinfo leakage in URI#join, URI#merge and URI#+ (bsc#1237805)
- CVE-2025-6442: Fixed ruby WEBrick read_header HTTP request smuggling vulnerability (bsc#1245254)


The following package changes have been done:

- libopenssl1_1-1.1.1w-150700.11.6.1 added
- libruby2_5-2_5-2.5.9-150700.24.3.1 updated
- ruby2.5-stdlib-2.5.9-150700.24.3.1 updated
- ruby2.5-2.5.9-150700.24.3.1 updated
- ruby2.5-devel-2.5.9-150700.24.3.1 updated