-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4018-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 17, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby2.7
Version : 2.7.4-1+deb11u3
CVE ID : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946
CVE-2024-43398 CVE-2024-49761
Multiple vulnerabilities were found in ruby a popular programming
language.
CVE-2024-35176
The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many `<`s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.
CVE-2024-39908
The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.
CVE-2024-41123
The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.
CVE-2024-41946
The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.
CVE-2024-43398
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.
CVE-2024-49761
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;).
For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u3.
We recommend that you upgrade your ruby2.7 packages.
For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeK9mgACgkQADoaLapB
CF+5nRAAlMDtZa2DRoerCXqEtNhHPaGjUrWETi1FVsFfHY7Wdo7btGmoTDeWVGfO
Ve29nNbLEdl/M6E4Z4a8ilHMCnyRTtxjbNV0/nP4s+UIM86HvVf+5d1RfldhlmRs
FDI1dEIoJlvLm9oRvWz7O/qqjBMo9xek9rPrg1l2bNOg8nzm7SNVr0kldXsewX7k
4sMFq4sCXnaFZAHh4a3wlLMGbIzndIs8bNzNvQCUqD1t2EclPQZjN4AZ9F9QPKeD
mfRTqVsi6AIzoCI7TgJkdBgci/+Racyb204twKgOq7tFNC9rxVKVo7KDQ7SnQX/1
Sb9Vni1+ZRazFEWRAOhn0m9JmLGcByC645+yUkvP8UqS0G5U+BIuE+RHtw3L790l
yo65NtohwDM4zS9ivDf1DFbktZlX0vllen1M7dhh5lrKEC8S2K/5dH+DxyDeJpE0
TskxjXsRuHA7BTUt+spgBlvuoKan1QJvKvb+KJhM78AXpMo8W7yfYDSNOAes24t5
QZ5lj4TPzYNdGm6MNZdsUAh7T7kLsr3/g9NfMFdN6d+braUfEFbWxwY3teEAuJjd
NPTvJ/PoAYEn9HziL8Q4mm3Ba/pHiWIFoVF7T2Zwy1kOSKloUbaySfgGxO/RWFIh
gTuc1ydwQOikd0ebRcSLxFfwL1AVtVvvV1FyDS+7MgFiEUR6seY=
=ndRX
-----END PGP SIGNATURE-----
