Advisories ยป MGASA-2025-0001

Updated ruby packages fix security vulnerabilities

Publication date: 04 Jan 2025
Modification date: 04 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-35176 , CVE-2024-39908 , CVE-2024-41123 , CVE-2024-41946 , CVE-2024-43398 , CVE-2024-49761

Description

The REXML gem before 3.2.6 has a denial of service vulnerability when it
parses an XML that has many `<`s in an attribute value. (CVE-2024-35176)
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as `<`, `0` and `%>`.
(CVE-2024-39908)
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as whitespace character,
`>]` and `]>`. (CVE-2024-41123)
The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that
has many entity expansions with SAX2 or pull parser API.
(CVE-2024-41946)
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML
that has many deep elements that have same local name attributes.
(CVE-2024-43398)
The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an
XML that has many digits between &# and x...; in a hex numeric character
reference (&#x...;). (CVE-2024-49761)

References

SRPMS

9/core