Debian alert DLA-4018-1 (ruby2.7)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4018-1] ruby2.7 security update | |
| Date: | Sat, 18 Jan 2025 08:06:42 +0000 | |
| Message-ID: | <8fc53f102d13eb13e0226c2f19b45bc8@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4018-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès January 17, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : ruby2.7 Version : 2.7.4-1+deb11u3 CVE ID : CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 CVE-2024-49761 Multiple vulnerabilities were found in ruby a popular programming language. CVE-2024-35176 The REXML gem has a Denial of Service (DoS) vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. CVE-2024-39908 The REXML gem has some Denial of Service (DoS) vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. CVE-2024-41123 The REXML gem has some Denial of Service (DoS) vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. CVE-2024-41946 The REXML gem had a Denial of Service (DoS) vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. CVE-2024-43398 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a Denial of Service (DoS) vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, you are not impacted. CVE-2024-49761 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). For Debian 11 bullseye, these problems have been fixed in version 2.7.4-1+deb11u3. We recommend that you upgrade your ruby2.7 packages. For the detailed security status of ruby2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeLYQcACgkQADoaLapB CF9lsg//Sd/8ylXLKMN/FX6fuVBx5KUk971p/S5Vuu0xw21eJQ1FPtRiiL4x0PzK p7hA4EA5rN9CnmcQyD8sVlrY6iOIJBcnlw4+xg8ztRQKp8pOtRcfsZ7KNGl0c9OD Exkof8OjlKk8pC7u45uGaNBLBV0qWg0uv7pFgnR/c2py+bejO4NY8Hzf6k8o6UXe wUGxUIgN89F6iWyoupB4TX95qHxH2XqrrandffMKrj5ehxW4qZFpVL3+ei7/r3NI 4mWpsH3gDh295eTTtAoIumBfDxd+qFiHiOYAy3B+IzMxKgBT4fZFx/IywaYCsVIq yjioa2f6TuR60ZQD/MZH74o/XPotQrC93QP2XJbNzo4gwviJ5m3e4qAzCpy2dfQ8 UJly22JAnQRyDhyKJEmuFRlnbcy99pWF41ImyfhmSp0cLCwN5awXB8HCKIoUIrrb vZDEjePCnMwzGeVYYkITVi/eTzUgLT1n4HnDca3xKErueR6zQuOcPlrPLJaVDYGZ YHqM14riOvlaTC2VtOw/8F2PswBdKQo/KICagzHMJTVBK7AGeAsrvn08BaM9Hzr/ BX2U3kFHkAEdSTdVNS1V+Y/fprapK2mlCQR5DwpsUxYuez6rZRD+lMxjfmFvSJcR BxGPMWwAgBxhmU2ioYhIDUgAOjxtc2BN9XkZLv7BdYiadP2z/NM= =WmSR -----END PGP SIGNATURE-----