Unrestricted entity expansion can lead to a DoS vulnerability in REXML, like “Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)” and “CVE-2014-8080: Parameter Entity expansion DoS vulnerability in REXML”. This vulnerability has been assigned the CVE identifier CVE-2014-8090. We strongly recommend to upgrade Ruby.
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before
2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to
cause a denial of service (CPU and memory consumption) a crafted XML
document containing an empty string in an entity that is used in a large
number of nested entity references, aka an XML Entity Expansion (XEE)
attack. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2013-1821 and CVE-2014-8080.
All versions mentioned are in the tree. Please advise when you are ready for stabilization.
Please test and mark stable:
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please vote.
Arches and Mainter(s), Thank you for your work.
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).