Unrestricted entity expansion can lead to a DoS vulnerability in REXML, like “Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)” and “CVE-2014-8080: Parameter Entity expansion DoS vulnerability in REXML”. This vulnerability has been assigned the CVE identifier CVE-2014-8090. We strongly recommend to upgrade Ruby.
CVE-2014-8090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090): The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
All versions mentioned are in the tree. Please advise when you are ready for stabilization.
Please test and mark stable: =dev-lang/ruby-1.9.3_p551 =dev-lang/ruby-2.0.0_p598
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
ppc64 stable
arm stable
sparc stable
alpha stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done.
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).