here is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-49761. We strongly recommend upgrading the REXML gem. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. Details When parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). Please update REXML gem to version 3.3.9 or later. Affected versions REXML gem 3.3.8 or prior with Ruby 3.1 or prior
Classifying this as a "B" since it only affects ruby 3.1 and that version is no longer the default and won't be present on new installs.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18ede35852d6d97a1235b2011098dcd5e5e6b468 commit 18ede35852d6d97a1235b2011098dcd5e5e6b468 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-11-11 11:34:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-11 11:34:59 +0000 dev-ruby/rexml: drop 3.3.6, 3.3.7, 3.3.8 Bug: https://bugs.gentoo.org/942432 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/rexml/Manifest | 3 --- dev-ruby/rexml/rexml-3.3.6.ebuild | 40 --------------------------------------- dev-ruby/rexml/rexml-3.3.7.ebuild | 40 --------------------------------------- dev-ruby/rexml/rexml-3.3.8.ebuild | 40 --------------------------------------- 4 files changed, 123 deletions(-)
