Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 932013 (CVE-2024-35176) - <dev-ruby/rexml-3.2.8: Denial of Service
Summary: <dev-ruby/rexml-3.2.8: Denial of Service
Status: CONFIRMED
Alias: CVE-2024-35176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 932175
Blocks:
  Show dependency tree
 
Reported: 2024-05-17 04:27 UTC by Hans de Graaff
Modified: 2024-06-15 06:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-05-17 04:27:00 UTC 
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-35176. We strongly recommend upgrading the REXML gem.
Details

When parsing an XML document that has many < in an attribute value, REXML gem may take long time.

Please update REXML gem to version 3.2.7 or later.
Affected versions

    REXML gem 3.2.6 or prior
Comment 1 Larry the Git Cow gentoo-dev 2024-06-15 06:10:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=264eccd8dbd24a8b65c27373fcfff40821804cb3

commit 264eccd8dbd24a8b65c27373fcfff40821804cb3
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-06-15 06:10:14 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-15 06:10:30 +0000

    dev-ruby/rexml: drop 3.2.6
    
    Bug: https://bugs.gentoo.org/932013
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 -
 dev-ruby/rexml/rexml-3.2.6.ebuild | 33 ---------------------------------
 2 files changed, 34 deletions(-)