[Git][security-tracker-team/security-tracker][master] CVE-2024-39887, CVE-2024-39839, CVE-2024-41926, CVE-2024-41946/ruby2.7: follow...

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue Aug 6 16:42:13 BST 2024 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1d35778d by Sylvain Beucler at 2024-08-06T17:41:43+02:00
CVE-2024-39887,CVE-2024-39839,CVE-2024-41926,CVE-2024-41946/ruby2.7: follow bookworm triage for REXML DoS CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -707,6 +707,7 @@ CVE-2024-41946 (REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
 	- ruby3.1 <unfixed>
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
+	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
 	NOTE: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
 CVE-2024-41926 (Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate ...)
@@ -727,6 +728,7 @@ CVE-2024-41123 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has
 	- ruby3.1 <unfixed>
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
+	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
 	NOTE: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
 CVE-2024-39839 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9. ...)
@@ -4358,6 +4360,7 @@ CVE-2024-39908 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has
 	- ruby3.1 <unfixed> (bug #1076768)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
+	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
 CVE-2024-39887 (An SQL Injection vulnerability in Apache Superset exists due to improp ...)
 	NOT-FOR-US: Apache Superset
@@ -23626,6 +23629,7 @@ CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has
 	- ruby3.1 <unfixed> (bug #1071626)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
+	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	- ruby2.5 <removed>
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
 	NOTE: Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d35778de0f4de751c2cdf08210dbe1752965b68

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d35778de0f4de751c2cdf08210dbe1752965b68
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240806/3fb90e85/attachment.htm>

More information about the debian-security-tracker-commits mailing list