There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-43398. We strongly recommend upgrading the REXML gem. Details When parsing an XML that has many deep elements that have same local name attributes. It’s only affected with the tree parser API. If you’re using REXML::Document.new to parse an XML, you may be affected. Please update REXML gem to version 3.3.6 or later. Affected versions REXML gem 3.3.5 or prior
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a016c2eb975bae51ce405dd58aad7ef41242dedc commit a016c2eb975bae51ce405dd58aad7ef41242dedc Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-10-13 06:38:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-10-13 06:38:22 +0000 dev-ruby/rexml: drop 3.2.8, 3.3.4, 3.3.5 Bug: https://bugs.gentoo.org/937114 Bug: https://bugs.gentoo.org/936133 Bug: https://bugs.gentoo.org/938298 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/rexml/Manifest | 3 --- dev-ruby/rexml/rexml-3.2.8.ebuild | 40 --------------------------------------- dev-ruby/rexml/rexml-3.3.4.ebuild | 40 --------------------------------------- dev-ruby/rexml/rexml-3.3.5.ebuild | 40 --------------------------------------- 4 files changed, 123 deletions(-)
