From ${URL} : Upstream released new version of Ruby [1] which fixes DoS during XML expansion. Upstream commit fixing this: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/?pathrev=48161 [1]: https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream announcement: https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ Now in the tree: ruby-1.9.3_p550 ruby-2.0.0_p594 ruby-2.1.4 Since ruby-2.0.0_p594 and ruby-2.1.4 both contain bug fixes in addition to security fixes my suggestion would be to wait a few days before marking these as stable so we can shake out any unexpected issues first.
No problems have been reported so we are good to go for stabilization: =dev-lang/ruby-1.9.3_p550 =dev-lang/ruby-2.0.0_p594
Stable for HPPA.
amd64 stable
x86 stable
arm stable
ppc stable
ppc64 stable
ia64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions have now been removed.
CVE-2014-8080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080): The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).