| Name | CVE-2025-0306 |
| Description | A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ruby2.7 (PTS) | bullseye | 2.7.4-1+deb11u1 | vulnerable |
| bullseye (security) | 2.7.4-1+deb11u3 | vulnerable |
| ruby3.1 (PTS) | bookworm, bookworm (security) | 3.1.2-7+deb12u1 | vulnerable |
| sid, trixie | 3.1.2-8.5 | fixed |
| ruby3.2 (PTS) | sid | 3.2.3-1 | vulnerable |
| ruby3.3 (PTS) | sid, trixie | 3.3.6-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ruby2.7 | source | (unstable) | (unfixed) | | | |
| ruby3.1 | source | (unstable) | 3.1.2-8.4 | | | |
| ruby3.2 | source | (unstable) | (unfixed) | | | |
| ruby3.3 | source | (unstable) | (not affected) | | | |
Notes
- ruby3.3 <not-affected> (All versions of Ruby 3.3 used OpenSSL 3.2 since initial upload)
[bookworm] - ruby3.1 <ignored> (Minor issue and requires OpenSSL 3.2, which is not in Bookworm)
[bullseye] - ruby2.7 <ignored> (Minor issue and requires OpenSSL 3.2 or backport of implicit rejection, which is not in Bullseye)
First upload of OpenSSL 3.2 to unstable was 3.2.1-3 on 04 Apr 2024
https://bugzilla.redhat.com/show_bug.cgi?id=2336100
https://people.redhat.com/~hkario/marvin/
Using OpenSSL/3.2.0 or later does not guarantee to mitigate the issue in all
cases, but at least when using the default provider. It will be always up to
the application to properly defend against this attack vector.