Source: ruby3.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ruby3.2. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML that has many | `<`s in an attribute value. Those who need to parse untrusted XMLs | may be impacted to this vulnerability. The REXML gem 3.2.7 or later | include the patch to fix this vulnerability. As a workaround, don't | parse untrusted XMLs. https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7) https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35176 https://www.cve.org/CVERecord?id=CVE-2024-35176 Please adjust the affected versions in the BTS as needed.