[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4018-1] ruby2.7 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4018-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
January 17, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby2.7
Version        : 2.7.4-1+deb11u3
CVE ID         : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 
                 CVE-2024-43398 CVE-2024-49761

Multiple vulnerabilities were found in ruby a popular programming
language.

CVE-2024-35176

    The REXML gem has a Denial of Service (DoS) vulnerability
    when it parses an XML that has many `<`s in
    an attribute value. Those who need to parse
    untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

    The REXML gem has some Denial of Service (DoS) vulnerabilities
    when it parses an XML that has many specific characters such
    as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
    you many be impacted to these vulnerabilities.

CVE-2024-41123

    The REXML gem has some Denial of Service (DoS) vulnerabilities
    when it parses an XML that has many specific characters
    such as whitespace character, >] and ]>.
    If you need to parse untrusted XMLs, you may be impacted
    to these vulnerabilities.

CVE-2024-41946

    The REXML gem had a Denial of Service (DoS) vulnerability
    when it parses an XML that has many entity expansions
    with SAX2 or pull parser API.

CVE-2024-43398

    REXML is an XML toolkit for Ruby.
    The REXML gem before 3.3.6 has a Denial of Service (DoS)
    vulnerability when it parses an XML that has many deep
    elements that have same local name attributes.
    If you need to parse untrusted XMLs with tree parser
    API like REXML::Document.new, you may be impacted
    to this vulnerability. If you use other parser APIs
    such as stream parser API and SAX2 parser API,
    you are not impacted.

CVE-2024-49761

    REXML is an XML toolkit for Ruby.
    The REXML gem before 3.3.9 has a ReDoS vulnerability
    when it parses an XML that has many digits between
    &# and x...; in a hex numeric character reference (&#x...;).

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u3.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeLYQcACgkQADoaLapB
CF9lsg//Sd/8ylXLKMN/FX6fuVBx5KUk971p/S5Vuu0xw21eJQ1FPtRiiL4x0PzK
p7hA4EA5rN9CnmcQyD8sVlrY6iOIJBcnlw4+xg8ztRQKp8pOtRcfsZ7KNGl0c9OD
Exkof8OjlKk8pC7u45uGaNBLBV0qWg0uv7pFgnR/c2py+bejO4NY8Hzf6k8o6UXe
wUGxUIgN89F6iWyoupB4TX95qHxH2XqrrandffMKrj5ehxW4qZFpVL3+ei7/r3NI
4mWpsH3gDh295eTTtAoIumBfDxd+qFiHiOYAy3B+IzMxKgBT4fZFx/IywaYCsVIq
yjioa2f6TuR60ZQD/MZH74o/XPotQrC93QP2XJbNzo4gwviJ5m3e4qAzCpy2dfQ8
UJly22JAnQRyDhyKJEmuFRlnbcy99pWF41ImyfhmSp0cLCwN5awXB8HCKIoUIrrb
vZDEjePCnMwzGeVYYkITVi/eTzUgLT1n4HnDca3xKErueR6zQuOcPlrPLJaVDYGZ
YHqM14riOvlaTC2VtOw/8F2PswBdKQo/KICagzHMJTVBK7AGeAsrvn08BaM9Hzr/
BX2U3kFHkAEdSTdVNS1V+Y/fprapK2mlCQR5DwpsUxYuez6rZRD+lMxjfmFvSJcR
BxGPMWwAgBxhmU2ioYhIDUgAOjxtc2BN9XkZLv7BdYiadP2z/NM=
=WmSR
-----END PGP SIGNATURE-----


Reply to: