[DRE-maint] Bug#1071627: ruby3.2: CVE-2024-35176
Moritz Mühlenhoff
jmm at inutil.org
Wed May 22 16:06:10 BST 2024
Source: ruby3.2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby3.2.
CVE-2024-35176[0]:
| REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
| denial of service vulnerability when it parses an XML that has many
| `<`s in an attribute value. Those who need to parse untrusted XMLs
| may be impacted to this vulnerability. The REXML gem 3.2.7 or later
| include the patch to fix this vulnerability. As a workaround, don't
| parse untrusted XMLs.
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7)
https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35176
https://www.cve.org/CVERecord?id=CVE-2024-35176
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-ruby-extras-maintainers
mailing list