Re: [SECURITY] [DLA 4018-1] ruby2.7 security update

[Sylvain Beucler]

Hi,

Do we plan/want to fix these REXML vulnerabilities accordingly in 
ruby3.1 (6 postponed) and ruby3.3 (1 unfixed) ?

This sounds like a candidate for a (O)SPU task:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues

Cheers!
Sylvain

On 18/01/2025 09:06, ro...@debian.org wrote:
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4018-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
January 17, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : ruby2.7
Version        : 2.7.4-1+deb11u3
CVE ID         : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946
                  CVE-2024-43398 CVE-2024-49761

Multiple vulnerabilities were found in ruby a popular programming
language.

CVE-2024-35176

     The REXML gem has a Denial of Service (DoS) vulnerability
     when it parses an XML that has many `<`s in
     an attribute value. Those who need to parse
     untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

     The REXML gem has some Denial of Service (DoS) vulnerabilities
     when it parses an XML that has many specific characters such
     as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
     you many be impacted to these vulnerabilities.

CVE-2024-41123

     The REXML gem has some Denial of Service (DoS) vulnerabilities
     when it parses an XML that has many specific characters
     such as whitespace character, >] and ]>.
     If you need to parse untrusted XMLs, you may be impacted
     to these vulnerabilities.

CVE-2024-41946

     The REXML gem had a Denial of Service (DoS) vulnerability
     when it parses an XML that has many entity expansions
     with SAX2 or pull parser API.

CVE-2024-43398

     REXML is an XML toolkit for Ruby.
     The REXML gem before 3.3.6 has a Denial of Service (DoS)
     vulnerability when it parses an XML that has many deep
     elements that have same local name attributes.
     If you need to parse untrusted XMLs with tree parser
     API like REXML::Document.new, you may be impacted
     to this vulnerability. If you use other parser APIs
     such as stream parser API and SAX2 parser API,
     you are not impacted.

CVE-2024-49761

     REXML is an XML toolkit for Ruby.
     The REXML gem before 3.3.9 has a ReDoS vulnerability
     when it parses an XML that has many digits between
     &# and x...; in a hex numeric character reference (&#x...;).

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u3.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS