CVE-2024-41946: DoS vulnerability in REXML There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-41946. We strongly recommend upgrading the REXML gem. Details When parsing an XML that has many entity expansions with SAX2 or pull parser API, REXML gem may take long time. Please update REXML gem to version 3.3.3 or later. CVE-2024-41123: DoS vulnerabilities in REXML There are some DoS vulnerabilities in REXML gem. These vulnerabilities have been assigned the CVE identifier CVE-2024-41123. We strongly recommend upgrading the REXML gem. Details When parsing an XML document that has many specific characters such as whitespace character, >] and ]>, REXML gem may take long time. Please update REXML gem to version 3.3.3 or later.
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/ https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7 commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-08-31 06:09:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-31 06:09:30 +0000 dev-ruby/rexml: drop 3.2.8 Bug: https://bugs.gentoo.org/937114 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/rexml/Manifest | 1 - dev-ruby/rexml/rexml-3.2.8.ebuild | 40 --------------------------------------- 2 files changed, 41 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4074fda8d1d2baab73dca9cf18c2230c2741420c commit 4074fda8d1d2baab73dca9cf18c2230c2741420c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-08-31 06:50:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 06:50:46 +0000 Revert "dev-ruby/rexml: drop 3.2.8" This reverts commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7. dev-ruby/vagrant_cloud needs it still. Bug: https://bugs.gentoo.org/937114 Signed-off-by: Sam James <sam@gentoo.org> dev-ruby/rexml/Manifest | 1 + dev-ruby/rexml/rexml-3.2.8.ebuild | 40 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+)