Le lundi 27 janvier 2025, 15:04:49 UTC Sylvain Beucler a écrit : > Hi, > > Do we plan/want to fix these REXML vulnerabilities accordingly in > ruby3.1 (6 postponed) and ruby3.3 (1 unfixed) ?
I will try > > This sounds like a candidate for a (O)SPU task: > https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues Yes it is, could you do I will need review and help it is hard here Bastien > > Cheers! > Sylvain > > On 18/01/2025 09:06, ro...@debian.org wrote: > > ------------------------------------------------------------------------- > > Debian LTS Advisory DLA-4018-1 debian-lts@lists.debian.org > > https://www.debian.org/lts/security/ Bastien Roucariès > > January 17, 2025 https://wiki.debian.org/LTS > > ------------------------------------------------------------------------- > > > > Package : ruby2.7 > > Version : 2.7.4-1+deb11u3 > > CVE ID : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 > > CVE-2024-43398 CVE-2024-49761 > > > > Multiple vulnerabilities were found in ruby a popular programming > > language. > > > > CVE-2024-35176 > > > > The REXML gem has a Denial of Service (DoS) vulnerability > > when it parses an XML that has many `<`s in > > an attribute value. Those who need to parse > > untrusted XMLs may be impacted to this vulnerability. > > > > CVE-2024-39908 > > > > The REXML gem has some Denial of Service (DoS) vulnerabilities > > when it parses an XML that has many specific characters such > > as `<`, `0` and `%>`. If you need to parse untrusted XMLs, > > you many be impacted to these vulnerabilities. > > > > CVE-2024-41123 > > > > The REXML gem has some Denial of Service (DoS) vulnerabilities > > when it parses an XML that has many specific characters > > such as whitespace character, >] and ]>. > > If you need to parse untrusted XMLs, you may be impacted > > to these vulnerabilities. > > > > CVE-2024-41946 > > > > The REXML gem had a Denial of Service (DoS) vulnerability > > when it parses an XML that has many entity expansions > > with SAX2 or pull parser API. > > > > CVE-2024-43398 > > > > REXML is an XML toolkit for Ruby. > > The REXML gem before 3.3.6 has a Denial of Service (DoS) > > vulnerability when it parses an XML that has many deep > > elements that have same local name attributes. > > If you need to parse untrusted XMLs with tree parser > > API like REXML::Document.new, you may be impacted > > to this vulnerability. If you use other parser APIs > > such as stream parser API and SAX2 parser API, > > you are not impacted. > > > > CVE-2024-49761 > > > > REXML is an XML toolkit for Ruby. > > The REXML gem before 3.3.9 has a ReDoS vulnerability > > when it parses an XML that has many digits between > > &# and x...; in a hex numeric character reference (&#x...;). > > > > For Debian 11 bullseye, these problems have been fixed in version > > 2.7.4-1+deb11u3. > > > > We recommend that you upgrade your ruby2.7 packages. > > > > For the detailed security status of ruby2.7 please refer to > > its security tracker page at: > > https://security-tracker.debian.org/tracker/ruby2.7 > > > > Further information about Debian LTS security advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: https://wiki.debian.org/LTS >
signature.asc
Description: This is a digitally signed message part.
