Package: ruby3.1 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for rexml, which is bundled in Ruby: CVE-2024-41123[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has | some DoS vulnerabilities when it parses an XML that has many | specific characters such as whitespace character, `>]` and `]>`. The | REXML gem 3.3.3 or later include the patches to fix these | vulnerabilities. https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/ CVE-2024-41946[1]: | REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS | vulnerability when it parses an XML that has many entity expansions | with SAX2 or pull parser API. The REXML gem 3.3.3 or later include | the patch to fix the vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/ CVE-2024-43398[2]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a | DoS vulnerability when it parses an XML that has many deep elements | that have same local name attributes. If you need to parse untrusted | XMLs with tree parser API like REXML::Document.new, you may be | impacted to this vulnerability. If you use other parser APIs such as | stream parser API and SAX2 parser API, this vulnerability is not | affected. The REXML gem 3.3.6 or later include the patch to fix the | vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-41123 https://www.cve.org/CVERecord?id=CVE-2024-41123 [1] https://security-tracker.debian.org/tracker/CVE-2024-41946 https://www.cve.org/CVERecord?id=CVE-2024-41946 [2] https://security-tracker.debian.org/tracker/CVE-2024-43398 https://www.cve.org/CVERecord?id=CVE-2024-43398 Please adjust the affected versions in the BTS as needed.
