Source: ruby3.1 Version: 3.1.2-8.5 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby3.1. CVE-2024-49761[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a | ReDoS vulnerability when it parses an XML that has many digits | between &# and x...; in a hex numeric character reference (&#x...;). | This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only | affected maintained Ruby. The REXML gem 3.3.9 or later include the | patch to fix the vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49761 https://www.cve.org/CVERecord?id=CVE-2024-49761 [1] https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m [2] https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
