MGASA-2025-0001 - Updated ruby packages fix security vulnerabilities

Publication date: 04 Jan 2025
URL: https://advisories.mageia.org/MGASA-2025-0001.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-35176,
     CVE-2024-39908,
     CVE-2024-41123,
     CVE-2024-41946,
     CVE-2024-43398,
     CVE-2024-49761

The REXML gem before 3.2.6 has a denial of service vulnerability when it
parses an XML that has many `<`s in an attribute value. (CVE-2024-35176)
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as `<`, `0` and `%>`.
(CVE-2024-39908)
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as whitespace character,
`>]` and `]>`. (CVE-2024-41123)
The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that
has many entity expansions with SAX2 or pull parser API.
(CVE-2024-41946)
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML
that has many deep elements that have same local name attributes.
(CVE-2024-43398)
The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an
XML that has many digits between &# and x...; in a hex numeric character
reference (&#x...;). (CVE-2024-49761)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33576
- https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQWXWS2GDTKX4LYWHQOZ2PWXDEICDX2W/
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
- https://ubuntu.com/security/notices/USN-7091-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35176
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39908
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43398
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49761

SRPMS:
- 9/core/ruby-3.1.5-46.mga9

Mageia 2025-0001: ruby Security Advisory Updates

The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value

Summary

The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. (CVE-2024-35176) The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. (CVE-2024-39908) The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. (CVE-2024-41123) The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. (CVE-2024-41946) The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. (CVE-2024-43398) The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). (CVE-2024-49761)

References

- https://bugs.mageia.org/show_bug.cgi?id=33576

- https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/

- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/

- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQWXWS2GDTKX4LYWHQOZ2PWXDEICDX2W/

- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/

- https://ubuntu.com/security/notices/USN-7091-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35176

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39908

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41946

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43398

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49761

Resolution

MGASA-2025-0001 - Updated ruby packages fix security vulnerabilities

SRPMS

- 9/core/ruby-3.1.5-46.mga9

Severity
Publication date: 04 Jan 2025
URL: https://advisories.mageia.org/MGASA-2025-0001.html
Type: security
CVE: CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-43398, CVE-2024-49761

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved