Accepted ruby2.7 2.7.4-1+deb11u3 (source) into oldstable-security

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted ruby2.7 2.7.4-1+deb11u3 (source) into oldstable-security
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 17 Jan 2025 23:50:28 +0000
Message-id: <[🔎] E1tYw6e-00AfAC-Kv@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Jan 2025 17:40:58 +0000
Source: ruby2.7
Architecture: source
Version: 2.7.4-1+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 ruby2.7 (2.7.4-1+deb11u3) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * Fix CVE-2024-35176: REXML is an XML toolkit for Ruby.
     The REXML gem has a Denial of Service (DoS) vulnerability
     when it parses an XML that has many `<`s in
     an attribute value. Those who need to parse
     untrusted XMLs may be impacted to this vulnerability
   * Fix CVE-2024-39908: REXML is an XML toolkit for Ruby.
     The REXML gem has some Denial of Service (DoS) vulnerabilities
     when it parses an XML that has many specific characters such
     as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
     you many be impacted to these vulnerabilities.
   * Fix CVE-2024-41123: REXML is an XML toolkit for Ruby.
     The REXML gem has some Denial of Service (DoS) vulnerabilities
     when it parses an XML that has many specific characters
     such as whitespace character, >] and ]>.
     If you need to parse untrusted XMLs, you may be impacted
     to these vulnerabilities.
   * Fix CVE-2024-41946: REXML is an XML toolkit for Ruby.
     The REXML gem had a Denial of Service (DoS) vulnerability
     when it parses an XML that has many entity expansions
     with SAX2 or pull parser API.
   * Fix CVE-2024-43398: REXML is an XML toolkit for Ruby.
     The REXML gem before 3.3.6 has a Denial of Service (DoS)
     vulnerability when it parses an XML that has many deep
     elements that have same local name attributes.
     If you need to parse untrusted XMLs with tree parser
     API like REXML::Document.new, you may be impacted
     to this vulnerability. If you use other parser APIs
     such as stream parser API and SAX2 parser API,
     you are not impacted.
   * Fix CVE-2024-49761: REXML is an XML toolkit for Ruby.
     The REXML gem before 3.3.9 has a ReDoS vulnerability
     when it parses an XML that has many digits between
     &# and x...; in a hex numeric character reference (&#x...;).
Checksums-Sha1:
 7b50ea6e86a9f1571264fd5c900ffe4bb37062f1 2534 ruby2.7_2.7.4-1+deb11u3.dsc
 c3af416830ab3a87ca8b3fdc2b8fc99522baee39 10810480 ruby2.7_2.7.4.orig.tar.xz
 c2b0bedff9439cdf88bcbe3f1e6d326c5f49fcf7 153780 ruby2.7_2.7.4-1+deb11u3.debian.tar.xz
 bf1416e6077e0e7f61f3af439f2afacc88ef8048 8783 ruby2.7_2.7.4-1+deb11u3_amd64.buildinfo
Checksums-Sha256:
 624266def7c4d54bff75b6c2984e23cd4df7454f41b00c426d08bc5234a3e81e 2534 ruby2.7_2.7.4-1+deb11u3.dsc
 a42c6089f82d9ab8dad2e72ba5b318f4177ff7bb17a584ae3834521e4f43c9b5 10810480 ruby2.7_2.7.4.orig.tar.xz
 a652b3d165494a5df19e182735a11ebf720358bcf808847f412088398c4532d9 153780 ruby2.7_2.7.4-1+deb11u3.debian.tar.xz
 2b1bb9def61d13729bac07db2f36b1d30f0d1798816800f4ebf92c212f4fd8b3 8783 ruby2.7_2.7.4-1+deb11u3_amd64.buildinfo
Files:
 0d447b2d15ade48d1920d87fdfe18a53 2534 ruby optional ruby2.7_2.7.4-1+deb11u3.dsc
 a66187d2e06edf92b45b03a840ba6570 10810480 ruby optional ruby2.7_2.7.4.orig.tar.xz
 60838ce9378d8b5a1fbe7dc95333d3df 153780 ruby optional ruby2.7_2.7.4-1+deb11u3.debian.tar.xz
 e6d860aa9245853adb247535ddf9ccb5 8783 ruby optional ruby2.7_2.7.4-1+deb11u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeK6gURHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF8YNQ//cbQ5qkD1AwRQYzR8ucUEXHxG1tR1d7LC
iBKzQ3OW/+pK6113BEujP2ADTEAaU3e9v8F6QBmY/DmInUZYpj992J42qpQpRQXL
nBN8h03fIvtZZwR7y2az5QVmY5P4w8NNtbxfZE5ER/SsFHF4gmJYuaOL68vEZqK/
DwVi4yDWlLMzoAJBrGrP3fLBulB7tQ38o2ySH/bRUISaF+IWTAr24yuvNDFQyhY9
PLMej8QdCDo3pS9akDfLud7pOrrJp2+Y1Y50YfkXAtA6soXGQ/wMcYjJYnmqXCpD
KeL7TeTmkMEpwnKnyOq22kCEk0kF+gZokYMIdYLHze/rLSkh7aSZOlRHxZXlhjKr
c7rk2DWX9c3tNNqX1Zx3vpAyLojZlPuYpX/0bz3Jml1Cpsf46Atboxdb1VNOfY+C
9QKMTCq2UbISNxZ0tS3A1s/LOf3W7WagTjM23AE1FL93l3HghOh+Nzy6ttnjxIKc
DgkvKdkPMnhJDMcN0CE0TBuzfoDmvULdZOw9WJwWN1FaB0SdTejaUOn9SKHdiXtu
uri2ODl2TBcfvxleXMe64R+h2+wMQbu9s7ckWyar0W1eOD1XYkVSIGwCl8AuR+0A
vA0i7DBHjKbE2mpBXKWgA9ZBUFRLDQkLfYCOpBfDkHAV39c0py54ePyXqt4ovFU3
N0Pp0ZdMJnQ=
=pHeN
-----END PGP SIGNATURE-----

Attachment: pgpZUMk4TQjIj.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted rsync 3.2.3-4+deb11u3 (source) into oldstable-security
Next by Date: Accepted libreoffice 1:7.0.4-4+deb11u12 (source) into oldstable-security
Previous by thread: Accepted rsync 3.2.3-4+deb11u3 (source) into oldstable-security
Next by thread: Accepted libreoffice 1:7.0.4-4+deb11u12 (source) into oldstable-security
Index(es):
- Date
- Thread